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I.  INTRODUCTION 


A.  PROJECT  PURPOSE 

This  study  reviews  the  current  DoN  Manager’s  Internal  Control  Manual  to 
evaluate  its  effectiveness  in  helping  to  align  the  Navy’s  current  mission,  organizational 
philosophy,  management  strategy,  goals,  metrics,  sustainment  efforts,  and  improvement 
programs. 

B.  PROJECT  OBJECTIVES 

•  Determine  if  the  MIC  manual  aligns  with  the  spirit  and  intent  of  the 
SECNAVINST  5200. 35E  and  other  pertinent  statutory  and  regulatory 
references 

•  Identify  ease  of  use  and/or  any  potential  challenges  in  applying  the 
concepts  as  outlined  in  the  aforementioned  manual. 

•  Review  current  DoN  Managers’  Internal  Control  (MIC)  Manual  to 
evaluate  its  effectiveness  in  aligning  an  organizations’  current  mission, 
organizational  philosophy,  management  strategy,  goals,  metrics, 
sustainment  efforts,  and  improvement  programs 

C.  BACKGROUND 

As  stated  in  SECNAV  Instruction  5200. 35E: 

DoN  Personnel  are  responsible  for  the  proper  stewardship  of  Federal 
resources  as  a  basic  obligation  of  their  public  service.  They  must  ensure 
government  resources  are  used  in  compliance  with  the  laws  and 
regulations,  consistent  with  mission,  and  with  minimal  potential  for  waste, 
fraud,  and  abuse.  Management  Controls  (MCs)  and  Internal  Controls  (ICs) 
are  synonymous  terms  to  describe  the  tools  military  and  civilian  managers 
use  to  achieve  results  and  safeguard  the  integrity  of  programs.  IC’s  are 
sound  management  practice  and  play  an  important  role  in  achieving 
business  and  mission  objectives  throughout  the  DoN.  Under  the  authority 
of  SECNAVINST  5430. 7N,  Assignment  of  Responsibilities  and 
Authorities  in  the  Office  of  the  Secretary  of  the  Navy,  9  June  2005,  the 
Secretary  of  the  Navy  Instruction  (SECNAVINST)  5200. 35E,  the 
Department  of  the  Navy  (DoN)  Managers’  Internal  Control  (MIC) 
program  regarding  internal  controls  across  the  DoN  was  issued. 
(SECNAVINST  5200.35E,  2006,  p.  1) 
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The  MIC  manual  specifies  procedures  for  implementing  an  internal  control 
program  throughout  the  DoN.  The  internal  control  program  serves  as  management’s  basis 
for  the  DoN  annual  Statement  of  Assurance.  “Internal  control  should  be  recognized  as  an 
integral  part  of  each  system  that  management  uses  to  regulate  and  guide  its  operations 
rather  than  as  a  separate  system  within  an  agency”  (GAO/AIMD  00-21.3.1,  1999,  p.  5). 
The  MIC  Manual  is  applicable  to  the  Offices  of  the  Secretary  of  the  Navy,  The  Chief  of 
Naval  Operations  (CNO),  the  Commandant  of  the  Marine  Corps  (CMC),  and  all  Navy 
and  Marine  Corps  activities,  installations,  commands,  ships,  and  stations. 

D.  LITERATURE  REVIEW 

“Internal  control  is  management  control  that  is  built  into  the  entity  as  apart  of  the 
infrastructure  to  help  managers  run  the  entity”  (GAO/AIMD  00-21.3.1,  1999,  p.  6).  By 
analyzing  the  DoN  MIC  Program  Manual,  the  authors  of  this  report  seek  to  determine  the 
effectiveness  of  implementing  this  program  throughout  an  organization.  Several  reports 
and  audits  have  been  conducted  (GAO  Report  03-147,  GAO  Report  AIMD-99-19,  and 
Comptroller  General  Report  AFMD-81-30)  sighting  internal  control  weaknesses  within 
the  Department  of  Defense  and  DoN.  However,  the  majority  of  these  audits/reports 
focused  on  shortcomings  within  various  operational  or  program  levels  such  as  inventory 
management,  transportation,  travel  cards,  credit  cards,  improper  payment  disbursing,  and 
financial  management  rather  than  the  MIC  program  or  manual.  A  common  thread  of 
these  audits  blame  operational  and  program  deficiencies  on  poor  internal  management 
controls.  Follow-on  guidance  and  reports  by  GAO  and  other  organizations  have  been 
issued  in  order  to  strengthen  management  controls.  A  review  of  these  reports  did  not 
reveal  that  a  study  of  the  MIC  program  manual  has  been  conducted  to  date. 

1.  Department  of  the  Navy’s  First-Year  Implementation  of  the  Federal 
Managers’  Financial  Integrity  Act  (FMFIA) 

In  1984,  GAO  conducted  a  review  and  analysis  of  the  Navy's  implementation  of 

the  Federal  Managers'  Financial  Integrity  Act  of  1982,  which  required  executive  agencies 

to  provide  reports  detailing  the  adequacy  of  internal  accounting  and  administrative 

control  systems.  GAO  found  that  the  Navy  was  making  progress  in  strengthening  internal 
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controls,  but  had  issues  with  the  delays  in  achieving  a  satisfactory  Internal  Management 
Control  program  throughout  the  Navy.  Specifically,  these  issues  pertained  to 
shortcomings  resulting  from  limited  timeframes  and  staff  resources  in  the  Office  of  the 
Comptroller  of  the  Navy.  These  limitations  contributed  to  late  and  limited  guidance  from 
the  Office  of  the  Comptroller  of  the  Navy  to  headquarters  components  and  field 
activities.  GAO  concluded  that  DoN  Managers  at  all  levels  needed  to  give  more  support 
in  order  to  implement  the  program  successfully  (GAO/NSIAD-84-94,  1984). 

2.  Standards  of  Internal  Control 

The  Financial  Manager’s  Financial  Integrity  Act  (FMFIA)  of  1982  tasked  GAO 
with  developing  and  issuing  standards  for  internal  control  within  the  federal  government. 
This  mandate  provided  an  overall  framework  for  establishing  and  maintaining  internal 
control  or  identifying  major  performance  or  management  challenges  within  federal 
agencies  (OMB;  FMFIA,  1982).  In  1999,  GAO  published  a  report  titled  Standards  for 
Internal  Control  in  the  Federal  Government.  This  report  updated  the  previous  “Standards 
for  Internal  Control  in  the  Federal  Government”  instituting  the  private  sector’s  internal 
control  guidance  of  Internal  Control-Integrated  Framework,  published  by  the  Committee 
of  Sponsoring  Organizations  of  the  Treadway  Commission  (COSO)  (GAO/AIMD  GO- 
21. 3.1,  1999,  p.  1).  This  report  defined  controls  as  “A  major  part  of  managing  an 
organization...  comprising  the  plans,  methods,  and  procedures  used  to  meet  missions, 
goals,  and  objectives,  and  in  doing  so,  support  perfonnance-based  management” 
(GAO/AIMD  00-21.3.1,  1999,  p.  4).  The  report  lists  and  defines  the  Five  Standards  of 
Internal  Management  Controls  as  Control  Environment,  Risk  Assessment,  Control 
Activities,  Information  and  Communication,  and  Monitoring  (GAO/AIMD  00-21.3.1, 
1999). 


3.  Internal  Control  Management  and  Evaluation  Tool  (GAO  Tool) 

In  2001,  GAO  published  a  report  titled  Internal  Control  Management  and 
Evaluation  Tool  (herein  referred  to  as  the  “GAO  tool”).  This  publication  provides  “a 
systematic,  organized,  and  structured  approach  to  assessing  the  internal  control  structure” 
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(GAO-0 1-1008G,  2001,  p.  1).  The  GAO  tool  is  based  on  and  corresponds  to  the  five 
standards  for  internal  controls  published  by  GAO  in  1999.  The  use  of  the  GAO  tool  is  not 
required;  however,  it  is  designed  to  assist  federal  agencies  in  implementing  as  well  as 
maintaining  and  sustaining  effective  internal  control.  The  GAO  tool  was  developed  using 
input  from  multiple  documents,  but  the  primary  sources  included  the  GAO’s  Standards  of 
Internal  Control  in  the  Federal  government,  as  well  as  information  contained  within  the 
“Evaluation  Tool”  section  of  the  Internal  Control-Integrated  Framework,  developed  by 
the  Committee  of  Sponsoring  Organizations  of  the  Treadway  Commission  (COSO). 
Existing  legislation  also  contributed  in  the  development  of  the  GAO  tool.  The  Acts 
included  the  Federal  Managers’  Financial  Integrity  Act  (FMFIA)  of  1982,  the  Chief 
Financial  Officers  Act  of  1990,  the  Government  Perfonnance,  and  Results  Act  (GPRA) 
of  1993,  and  the  Federal  Financial  Management  Improvement  Act  (FFMIA)  of  1996 
(GAO-0 1-1008G,  2001). 

As  outlined  above,  the  GAO  tool  not  only  directly  corresponds  to  the  five 
standards  for  internal  controls  (Control  Environment,  Risk  Assessment,  Control 
Activities,  Information  and  Communication,  and  Monitoring)  that  were  published  by 
GAO  in  1999,  but  it  also  contains  checklists  and  methods  for  assessing  independent 
evaluations  and  the  resolution  of  audits  or  other  reviews.  Each  of  the  above  listed 
standards  is  an  independent  section  within  GAO’s  tool  and  is  sub-divided  into  major 
factors.  For  example,  the  Control  Environment  is  sub-divided  into  major  factors  such  as 
Integrity  and  Ethical  Values,  Commitment  to  Competence,  and  Organizational  Structure. 
These  major  factors  are  further  broken  down  into  points  and  subsidiary  points. 
Organizational  Structure  for  example,  is  broken  down  into  five  points,  the  first  of  which 
considers  whether  the  organizational  structure  is  appropriate  for  the  size  and  purpose  of 
its  operations.  Under  these  five  points  are  several  additional  subsidiary  points  that  an 
organization  using  the  GAO  tool  should  review.  Within  the  GAO  tool,  any  stated 
standard,  major  factor,  point,  or  subsidiary  point  can  be  used  as  a  guide  while  assessing 
internal  controls  of  an  organization.  Further,  the  GAO  tool  is  formatted  as  a  checklist  and 
is  equipped  with  a  section  for  adding  comments  or  listing  descriptions  regarding 
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internal  control  strengths  and  weaknesses.  Using  the  GAO  tool  also  enables  an 
organization  or  designated  representative  to  assess  the  applicability  of  various  internal 
controls  within  the  organization  (GAO-0 1-1008G,  2001). 

4.  Major  Management  Challenges 

In  2003,  GAO  produced  another  report  titled  Major  Management  Challenges  and 
Program  Risks  for  the  DoD.  This  report,  which  focused  on  perfonnance  and 
accountability,  identified  systemic  and  specific  problems  with  management  processes 
related  to  strategic  planning,  human  capital,  support  infrastructure,  financial  and 
information  management,  acquisition  reform,  contracting  processes,  and  logistics 
reengineering  (GAO-03-98,  2003).  The  report  asserts  that  “significant  management 
problems  continue  to  impact  the  economy,  effectiveness,  and  efficiency  of  DOD's 
business  processes”  (GAO-03-98,  2003,  p.  1).  Although  these  discrepancies  were  largely 
seen  as  negative,  the  GAO  did  note  that  the  DoD  had  taken  positive  action  in 
transfonnation  and  improvement  initiatives.  The  GAO  concluded  that  the  long-standing 
financial  management  problems  greatly  contributed  to  (and  adversely  affected)  the  DoD’s 
ability  to  control  costs,  ensure  basic  accountability,  anticipate  future  costs,  measure 
performance,  maintain  funds  control,  prevent  fraud,  and  address  pressing  management 
issues  (GAO-03-98,  2003). 

5.  Effective  Internal  Controls  Is  Key  to  Accountability 

In  2005,  GAO  published  a  report  titled  Financial  Management:  Effective  Internal 
Control  Is  Key  to  Accountability.  This  report  was  a  summation  of  testimony  given  before 
Congress.  “This  testimony  outlines  the  importance  of  internal  control,  summarizes  the 
long-standing  Congressional  interest  in  internal  control  and  the  related  statutory 
framework,  discusses  GAO’s  experiences  and  lessons  learned  from  agency  assessments 
since  the  early  1980s,  and  provides  GAO's  views  on  the  Office  of  Management  and 
Budget's  (OMB’s)  recent  revisions  to  its  Circular  A-123”  (GAO-05-32  IT,  2005,  p.  1).  It 
recognized  six  areas  of  importance  in  order  to  implement  OMB  Circular  123 
successfully.  Specifically: 
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The  need  for  supplemental  guidance  and  implementation  tools;  vigilance 
over  the  broader  range  of  controls  covering  program  objectives;  strong 
support  from  managers  throughout  the  agency  and  at  all  levels;  risk-based 
assessments  and  an  appropriate  balance  between  the  costs  and  benefits  of 
controls;  management  testing  of  controls  in  operation  to  assess  if  they  are 
designed  adequately  and  operating  effectively;  and  management 
accountability  for  control  breakdowns.  (GAO-05-32 IT,  2005,  p.  1) 

This  testimony  asserted  that  internal  controls  were  at  the  center  of  accountability  (GAO- 
05-32 IT,  2005). 

6.  Report  on  DOD  Compliance  with  Federal  Managers’  Financial 
Integrity  Act  (FMFIA)  of  1982 

In  2007,  DoD  Inspector  General’s  Officer  published  Report  on  DoD  Compliance 
with  FMFIA  of  1982.  The  report  reviewed  and  compared  feeder  components  Statements 
of  Assurance,  GAO  reports,  audits,  inspections,  and  investigations  to  find  concurrence  or 
differences  with  the  DoD  Annual  Statement  of  Insurance  for  Internal  Controls.  The  report 
concluded  that  the  DoD  did  not  “have  an  adequate  basis  for  giving  a  qualified  opinion  on 
the  effectiveness  of  internal  control  over  financial  reporting  as  long  as  current 
weaknesses  continue  to  exist”  (DoD  IG  Report  D  2007-093,  2007,  p.  10).  However,  the 
report  stated  they  “did  not  perform  an  in-depth  review  of  the  process  used  by  DoD 
management  to  assess  the  effectiveness  of  internal  controls  over  financial  reporting  as 
required  by  OMB-123”  (DoD  IG  Report  D  2007-093,  2007,  p.  10). 

7.  Sustaining  Internal  Controls 

In  2007,  K.  Bresnahan  published  the  article,  Sustaining  Internal  Control 
Programs.  He  concluded  that  sustaining  internal  controls  required  organizations  to 
possess  not  only  sound  internal  controls  but  to  also  possess  a  sustainment  structure  for 
internal  controls.  A  successful  sustainment  structure  would  have  the  following  key 
characteristics:  effective  internal  control  program;  focused  and  flexible  leaders;  flexibility 
in  changing  controls  to  the  changing  environment;  the  ability  to  respond  adequately  to 
updates,  testing,  and  remediation;  continual  planning;  an  ability  to  assess  and  determine 
the  effectiveness  of  an  assessment  process;  and  possess  a  proactive  cultural  mindset. 
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According  to  the  article,  OMB’ s  new  rules  accomplished  a  clear  understanding  that 
management  must  be  proactive  in  determining  effective  controls  (Bresnahan,  2007,  p. 
45). 

To  summarize,  the  literature  review  identified  several  audits  and  reports,  which 
cited  weaknesses  in  IC’s  within  the  DoD  and  DoN.  While  the  majority  of  the 
audits/reports  focused  on  operational  and  management  control  weaknesses,  none  were 
found  to  contain  a  direct  assessment  of  overarching  IC  systems  or  programs.  Further,  a 
review  of  these  reports  did  not  reveal  that  an  assessment  of  the  MIC  program  and  manual 
had  been  completed.  The  literature  review  also  identified  the  GAO  Tool;  a  publication 
that  was  recognized  by  the  authors  of  this  report  as  a  sound  means  for  evaluating  the  MIC 
manual.  Finally,  the  remaining  reports  (within  the  literature  review)  provided  additional 
justification  regarding  the  importance  of  IC’s  and  the  need  for  assessing  the  MIC  manual. 

E.  ORGANIZATION 

Chapter  I  provides  an  overview  of  the  project:  its  purpose,  objectives,  and  a  brief 
background.  Chapter  II  contains  a  review  and  analysis  of  multiple  statutory  and 
regulatory  documents  and  references  which  provide  a  historical  chronology  of  internal 
control  processes  leading  up  to  the  development  and  revisions  to  the  current  Manager’s 
Internal  Control  (MIC)  Program.  This  historical  review  includes  the  Budget  and 
Accounting  Act  of  1921,  the  Budget  and  Accounting  Procedures  Act  of  1950,  the  Office 
of  Management  and  Budget  (OMB)  Circular,  A- 123,  the  Federal  Managers  Financial 
Integrity  Act  (FMFIA)  of  1982,  the  Sarbanes-Oxley  Act  of  2002,  SECNAVINST 
5200. 35E,  and  other  statutory  and  regulatory  reference  materials.  Chapter  III  focuses  on 
defining  and  discussing  various  perspectives  regarding  the  purpose  of  internal  controls  as 
viewed  in  both  the  federal  government  and  private  sector.  Additionally,  Chapter  III 
identifies  the  components  of  an  effective  internal  control,  outlines  internal  control 
limitations,  and  explains  the  methods  in  which  organizations  can  express  internal  control 
requirements.  Chapter  III  also  contains  discussions  surrounding  the  importance  of 
sustaining  internal  controls  and  systems.  In  Chapter  IV,  the  DoN  Managers’  Internal 
Control  (MIC)  Manual  is  described  in  detail  to  provide  the  reader  with  an  understanding 
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of  its  content.  In  Chapter  V,  the  MIC  manual  is  evaluated  to  detennine  the  following 
objectives:  First,  does  the  MIC  manual  align  with  the  spirit  and  intent  of  the  SECNAV 
5200. 35E  and  other  pertinent  statutory  and  regulatory  references.  Second,  is  the  manual 
easy  to  comprehend  and  implement,  or  does  it  contain  potential  challenges  in  applying 
the  concepts  as  outlined  in  the  aforementioned  MIC  program.  Finally,  Chapter  V  reviews 
the  current  DoN  Managers’  Internal  Control  (MIC)  Manual  to  evaluate  its  effectiveness 
in  aligning  an  organizations’  current  mission,  organizational  philosophy,  management 
strategy,  goals,  and  metrics,  sustainment  efforts,  and  improvement  programs.  Chapter  VI 
contains  conclusions  and  recommendations. 
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II.  ORIGIN  OF  MIC  PROGRAM 


A.  INTRODUCING  THE  HISTORICAL  SIGNIFICANCE 

In  an  effort  to  obtain  a  clear  understanding  of  what  brought  about  the  MIC 
Program,  it  is  relevant  to  trace  the  background  and  origin  of  internal  control  processes 
within  the  federal  government.  By  analyzing  the  lineage  of  documents  pertaining  to 
internal  controls  throughout  the  federal  government,  the  authors  hope  to  uncover  the 
spirit  and  intent,  which  led  to  the  development  of  the  MIC  program  and  the  associated 
manual  within  the  DoN.  Additionally,  in  tracing  the  background  and  origin  of  internal 
control  processes  throughout  the  federal  government,  the  authors  of  this  report  hope  to 
reveal  evolutionary  changes  that  have  occurred,  and  the  impact  these  changes  have  had 
on  the  current  state  of  the  MIC  program. 

To  accomplish  this  task,  a  historical  review  and  analysis  of  multiple  statutory  and 
regulatory  documents  has  been  conducted.  The  below  listed  references  have  been 
reviewed  and  are  considered  to  have  historical  significance  and  bearing  on  the 
development  of  the  current  DoN’s  Manager’s  Internal  Control  (MIC)  Program.  The 
criteria  used  in  detennining  whether  a  reference  was  deemed  historically  significant 
involved  identifying  the  primary  source  document  to  the  MIC  program  (SECNAVINST 
5200. 35E),  and  then  tracing  the  references  contained  in  the  SECNAVINST  backwards  to 
determine  the  originating  source  documents.  This  tracing  process  identified  the 
Budgeting  and  Accounting  Act  of  1921,  the  source  document,  which  put  internal  controls 
in  motion  within  the  federal  government.  The  literature  reviewed  includes  the  Budget  and 
Accounting  Act  of  1921,  the  Budget  and  Accounting  Procedures  Act  of  1950,  the  Office 
of  Management  and  Budget  (OMB)  Circular,  A- 123  (and  amendments),  the  Federal 
Managers  Financial  Integrity  Act  (FMFIA)  of  1982,  the  Government  Performance  and 
Results  Act  (GPRA)  of  1993,  the  Sarbanes-Oxley  Act  of  2002,  DoD  Directive  5010.38, 
DoD  Directive  5010.40,  DoD  Instruction  5010.40,  and  SECNAVINST  5200.35E.  Other 
statutory  and  regulatory  reference  materials  that  indirectly  contributed  to  the  influence  of 
the  DoN’s  MIC  program  are  listed  in  Appendix  A. 
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B. 


THE  BUDGET  AND  ACCOUNTING  ACT  OF  1921 


The  Budget  and  Accounting  Act  of  1921  was  characterized  as  “probably  the 
greatest  landmark  of  our  administrative  history”  (Emmerich,  Herbert,  1971.  p.  40).  The 
1921  act  established  measures  that  enabled  Congress  to  exercise  more  control  and 
oversight  over  federal  spending.  Signed  by  Congress  June  10,  1921,  the  act  established 
the  requirement  for  the  President  to  submit  an  annual  consolidated  budget  proposal  to 
Congress,  covering  all  federal  revenues  and  expenditures  for  the  upcoming  fiscal  year 
(Public  Law  67-13,  42  Stat.  20). 

The  1921  act  created  a  central  budget  office,  the  Bureau  of  the  Budget;  and  a 
Congressional  audit  agency,  the  General  Accounting  Office.  The  predecessor  to  the 
Office  of  Management  and  Budget  (OMB),  the  Bureau  of  the  Budget  was  established  to 
provide  the  President  with  the  resources  necessary  to  produce  the  annual  consolidated 
budget.  The  General  Accounting  Office  (now  referred  to  as  the  Government 
Accountability  Office  (GAO))  was  established  to  provide  Congress  with  oversight  and 
accountability  of  the  federal  budget.  The  GAO  was  charged  to  "investigate,  at  the  seat  of 
government  or  elsewhere,  all  matters  relating  to  the  receipt,  disbursement,  and 
application  of  public  funds,  and  shall  make  to  the  President... and  to  Congress... reports 
(and)  recommendations  looking  to  greater  economy  or  efficiency  in  public  expenditures" 
(Public  Law  67-13,  42,  Sec.  312(a),  Stat.  25). 

C.  THE  BUDGET  AND  ACCOUNTING  PROCEDURES  ACT  OF  1950 

Rabin  (1992)  argues  that  the  Budget  and  Accounting  Act  of  1950  is  “the  most 

significant  development  in  federal  accounting”  (Rabin,  1992,  p.  248).  The  act  introduced 

budget  reform  that  outlined  the  accountability  responsibilities  of  the  Comptroller  General 

and  established  the  requirement  for  unified  accounting  and  reporting  systems  within  the 

U.S.  government  agencies.  The  1950  act  required  the  Comptroller  General  of  the  United 

States  to  establish  and  be  responsible  for  prescribing  the  accounting  principles,  standards, 

and  related  requirements  for  accounting  as  guidance  for  executive  agencies.  The  1950  act 

also  required  the  Treasury  Department  to  establish  unified  accounting  and  reporting 

systems  capable  of  maintaining  data  on  the  financial  operations  and  position  of  the 
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government  as  a  whole  (Rabin,  1992,  p.  248)  and  required  the  head  of  each  executive 
agency  to  establish  adequate  and  effective  agency  accounting  and  internal  control 
systems  that  conformed  to  the  Comptroller  General’s  guidance. 

D.  INTERNAL  CONTROL  SYSTEMS;  OMB  CIRCULAR,  A-123,  OF  1981 

Office  of  Management  and  Budget  (OMB),  a  part  of  the  Executive  office  of  the 
President,  releases  documents  called  circulars  that  are  prepared  by  various  federal 
agencies  concerning  issues  within  their  specific  departments.  One  such  circular,  OMB 
Circular  A-123  was  issued  in  October  of  1981.  Then  titled  “Internal  Control  Systems,” 
OMB  Circular  A-123  implemented  various  internal  control  standards,  as  well  as  a  system 
which  outlined  agency  requirements  and  responsibilities  as  it  pertained  to  possible  fraud, 
waste,  and  abuse.  OMB  Circular  A-123  was  issued  to  further  develop  federal  standards 
for  establishing  internal  controls,  identifying  internal  control  weaknesses,  and  to  address 
compliance  issues  surrounding  the  implementation  and  execution  of  internal  controls. 
Additionally,  according  to  a  Government  Accounting  Office  (GAO)  Financial 
Management  Report,  OMB  first  issued  Circular  A-123  in  anticipation  of  FMFIA 
becoming  Faw,  (GAO,  2005,  p.3). 

Circular  A-123  contains  an  array  of  definitions,  which  seek  to  refine  and  provide 
a  shared  understanding  of  terms  such  as  Internal  Control,  Internal  Control 
Documentation,  Internal  Control  Guidelines,  Internal  Control  Review,  Standards, 
System,  technique,  and  material  weakness.  Circular  A-123  mandates  agencies  to  maintain 
an  effective  system  of  accounting  and  administrative  control  while  also  charging  all 
levels  of  management  to  involve  themselves  in  ensuring  adequate  controls  exist  or  are 
implemented.  Circular  A-123  policy  also  requires  all  internal  control  systems  be 
evaluated  on  a  regular  basis  and  states  that  new  programs  shall  incorporate  effective 
systems  of  internal  control  (OMB  Circular  A-123,  1983,  p.  2).  Finally,  Circular  A-123 
requires  internal  control  activities  and  evaluation  results  be  reported  out  on  an  as  required 
basis. 
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E.  FEDERAL  MANAGERS'  FINANCIAL  INTEGRITY  ACT  (FMFIA)  OF 

1982  (P.L.  97-255  -  (H.R.  1526)) 

In  1982,  the  Senate  and  House  of  Representatives  amended  the  Accounting  and 
Auditing  Act  of  1950  and  Budget  and  Accounting  Act  of  1921.  The  new  Act  was  called 
the  Federal  Managers'  Financial  Integrity  Act  (FMFIA)  of  1982  (OMB;  FMFIA,  1982,  p. 
1).  Signed  into  law  September  8,  1982,  FMFIA  amended  the  Accounting  and  Auditing 
Act  of  1950  by  adding  language  which  required  ongoing  evaluations  and  reports  of  each 
executive  agency.  Specifically,  FMFIA  required  executive  agencies  to  provide  reports 
detailing  the  adequacy  of  internal  accounting  and  administrative  control  systems. 
Additionally,  executive  agencies  were  required  to  follow  standards  (as  prescribed  by  the 
Comptroller  General)  and  provide  reasonable  assurance  that  obligations  complied  with 
appropriate  law  and  that  funds,  property,  and  other  assets  were  safeguarded  against  fraud, 
waste,  misappropriation,  and  abuse.  The  executive  agencies  were  also  required  to  provide 
reasonable  assurance  that  revenues  and  expenditures  of  executive  agencies  were  properly 
recorded  and  accounted  for  in  order  to  facilitate  reliable  financial  reports  and  maintain 
accountability  (OMB;  FMFIA,  1982,  p.  1). 

FMFIA  directed  the  Director  of  OMB,  in  consultation  with  the  Comptroller 
General  to  establish  guidelines  for  the  evaluation  of  each  agency  and  their  systems  of 
internal  accounting  and  administrative  control.  This  mandate  was  established  to  assess 
whether  or  not  each  internal  control  system  was  in  compliance  with  the  requirements;  and 
was  to  be  complete  by  December  31,  1982.  FMFIA  also  directed  the  head  of  each 
executive  agency  to  prepare  a  statement  evaluating  the  compliance  of  that  agency's 
system  of  internal  accounting  and  administrative  controls.  This  statement  was  to  be 
submitted  by  December  31,  1983,  and  by  December  31  of  each  succeeding  year,  (OMB; 
FMFIA,  1982). 

The  FMFIA  tasked  GAO  with  developing  and  issuing  standards  for  internal 
control  within  the  federal  government.  This  mandate  provided  an  overall  framework  for 
establishing  and  maintaining  internal  control  or  identifying  major  performance  or 
management  challenges  within  federal  agencies  (OMB;  FMFIA,  1982). 
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F. 


GOVERNMENT  PERFORMANCE  AND  RESULTS  ACT  (GPRA)  OF  1993 


The  One  Hundred  Third  Congress  of  the  United  States  of  America  passed  the 
Government  Perfonnance  and  Results  Act  (GPRA)  into  law  on  January  5,  1993.  The  law 
required  federal  agencies  to  clarify  their  missions,  set  strategic  and  annual  performance 
goals,  and  measure  their  performance  in  these  areas.  This  Act  required  that  the  results  be 
reported  OMB.  The  law  was  designed  to  improve  the  confidence  of  the  American  people 
that  the  Federal  Government  was  effectively  and  efficiently  managing  programs  and 
spending.  The  Act  also  identified  internal  control  as  an  integral  part  of  establishing  a 
framework  to  measure  and  achieve  set  goals  that  correspond  with  a  strategic  vision  and 
mission  objective  (GPRA,  1993). 

G.  MANAGEMENT  ACCOUNTABILITY  AND  CONTROL;  REVISED 
CIRCULAR,  A-123  OF  1995 

Due,  in  part,  to  an  array  of  reporting  procedures  and  requirements  concerning  the 
monitoring  and  documentation  of  internal  control  processes,  OMB  made  a  substantial 
revision  to  OMB  Circular  A-123.  Rather  than  have  several  different  (and  independent) 
internal  control  policies,  assessments,  and  requirements  conducted  by  auditors  and 
managers  throughout  various  federal  agencies,  the  revised  OMB  Circular  of  1995 
provided  a  framework  wherein  internal  control  assessments  could  be  integrated  under  one 
organization  and  into  a  single  document.  Additionally,  the  reporting  and  assessment 
requirements  of  OMB’s  revised  Circular  (A-123  of  1995)  were  relaxed  and  gave  federal 
agencies  more  leeway  in  detennining  the  method  for  producing  the  annual  assurance 
statement  to  Congress  (GAO  05-32 IT,  2005,  p.  7-8). 

H.  FEDERAL  FINANCIAL  MANAGEMENT  IMPROVEMENT  ACT 
(FFMIA)  OF  1996  (PUBLIC  LAW  104-208) 

The  FFMIA  of  1996  was  signed  into  law  in  order  to  improve  Federal  financial 
management  through  improvements  within  the  Federal  financial  management  systems. 
The  FFMIA  sought  improvements  to  Federal  financial  management  systems  by  requiring 
more  accurate,  reliable,  and  timely  financial  management  information  to  the 

government’s  managers.  In  complying  with  the  FMIA  Act,  it  was  argued  that  the 
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reliability  in  the  financial  management  infonnation  would  increase  and  in  turn,  better 
assist  program  managers  and  the  Executive  and  Legislative  branches  of  government  in 
support  of  public  interests  (Public  Law  104-208,  1996). 

I.  SARBANES-OXLEY  ACT  OF  2002 

Also  known  as  the  Public  Company  Accounting  Reform  and  Investor  Protection 
Act  of  2002,  the  Sarbanes-Oxley  Act  (SOX)  enacted  amendments  to  the  Securities  Act  of 
1934  that  changed  the  regulation  of  corporate  governance  and  standards  for  financial 
accounting  practices  in  the  United  States  (Addison-Hewitt  Associates,  2004).  Enacted  on 
July  30,  2002  as  Public  Law  107-204  statute  745,  SOX  is  a  piece  of  legislation  focused 
on  improving  the  quality,  reliability  and  transparency  in  financial  reporting  and 
independent  audits  and  accounting  services  for  all  companies  regulated  by  the  Securities 
Exchange  Commission  (SEC)  (Addison-Hewitt  Associates,  2004).  Arranged  into  eleven 
titles,  the  Sarbanes-Oxley  provisions  outlines  various  non-negotiable  deadlines  for 
compliance,  periodic  statutory  financial  reporting  requirements,  and  integrated  auditing 
and  accounting  standards  (Epstien,  Nach  &  Bragg,  2008). 

The  principal  regulatory  focus  of  SOX  is  on  auditors  and  corporate  management 
(Epstien,  Nach  &  Bragg,  2008,  p.  12).  The  SOX  act  not  only  increases  management’s 
responsibility  for  assessing  the  effectiveness  of  internal  control  over  financial  reporting 
(Epstien,  Nach  &  Bragg,  2008,  p.  12),  but  also  imposes  criminal  sanctions  on  individuals, 
registered  accounting  and  auditing  firms,  and  publically  held  companies  which  fail  to 
comply  with  the  strict  accounting  oversight  and  internal  control  mandates  (Welytok, 
2008).  The  SOX  act  established  the  Public  Company  Accounting  Oversight  Board 
(PCAOB)  to  assume  the  responsibility  of  monitoring  public  companies,  provide 
independent  oversight  of  their  accounting  practices,  issue  standards  for  public  company 
audits  and  regulate  the  practices  of  auditors  and  registered  audit  firms”  (Whittington  & 
Pany,  2008,  p.  52). 
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J.  MANAGEMENT  RESPONSIBILITY  FOR  INTERNAL  CONTROL; 
REVISED  CIRCULAR,  A-123  OF  2004 

In  December  of  2004,  OMB  published  the  most  recent  revision  of  Circular  A-123. 
Prompted  by  the  Sarbanes-Oxley  Act  of  2002,  the  Department  of  Homeland  Security 
Financial  Accountability  Act  of  2004,  and  recommendations  from  the  Chief  Financial 
Officers’  Counsel  (CFOC)  and  President’s  Committee  on  Integrity  and  Efficiency  (PCIE) 
joint  committee,  OMB  conducted  another  review  of  Circular  A-123  in  an  effort  to 
“strengthen  guidance  for  assessing  the  effectiveness  of  internal  control,”  (United  States 
Congress,  House  Hearing,  2005).  Possibly  the  most  substantial  amendment  to  this 
circular  involved  the  “requirement  for  agency  management  to  follow  a  more 
comprehensive  and  coordinated  approach  when  assessing  the  effectiveness  of  internal 
control  over  financial  reporting”  (United  States  Congress,  House  Hearing,  2005). 
According  to  testimony  before  the  House  of  Representatives,  Jeffrey  C.  Steinhoff, 
Managing  Director,  Financial  Management  and  Assurance,  GAO, 

The  changes  are  intended  to  strengthen  the  requirements  of  conducting 
management’s  assessment  of  internal  control  over  financial  reporting... 

The  Circular  correctly  recognizes  that  instead  of  considering  internal 
control  as  an  isolated  management  tool,  agencies  should  integrate  their 
efforts  to  meet  the  requirements  of  FMFIA  with  other  efforts  to  improve 
effectiveness  and  accountability.  (GAO  Report  05-32 IT,  2005,  p.  8) 

Circular  A-123  of  2004  stressed  the  importance  of  internal  control  assessment  and 
documentation  by  management,  updated  current  terminology  being  used  in  the  federal 
government  and  corporate  America,  and  listed  recent  financial  management  internal 
control  documentation  that  should  be  followed  and  considered  when  reviewing  the 
effectiveness  of  internal  controls. 

K.  DOD  DIRECTIVE  5010.38;  INTERNAL  MANAGEMENT  CONTROL 
PROGRAM  OF  1984 

On  July  16,  1984,  the  Department  of  Defense  issued  Directive  5010.38,  the 
Internal  Management  Control  Program.  Directive  5010.38  (which  cancelled  DoD 
Directive  7040.6;  Internal  Control  Systems,  March  24,  1982)  established  the  Internal 
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Management  Controls  (IMC)  program  for  the  DoD,  incorporated  guidance  under  OMB 
Circular  No.  123  and  GAO  standards  for  Internal  Controls,  provided  policy,  prescribed 
procedures,  and  assigned  responsibility,  (DoD  5010.38,  1984).  The  current  directive  (last 
updated  on  August  26,  1996)  is  applicable  to  all  DoD  organizations  including  the  Office 
of  the  Secretary  of  Defense  (OSD),  DoD  field  activities,  the  Military  Departments,  the 
Organization  of  the  Joint  Chiefs  of  Staff,  the  Unified  and  Specified  Commands,  the 
Inspector  General,  DoD,  and  Defense  Agencies.  They  are  collectively  referred  to  as  DoD 
components  (DoD  5010.38,  1996). 

Concerning  policy,  DoD  directive  5010.38  mandated  that  each  DoD  component 
develop  and  implement  an  in-depth  system  for  internal  managerial  controls  that  provided 
reasonable  assurance  in  multiple  areas.  Specifically,  this  policy  requires  the  training  of 
IMC  managers  (focusing  on  their  obligations  and  responsibilities),  the  safeguarding  of 
assets  from  waste,  loss,  and  unauthorized  use,  compliance  with  applicable  laws  regarding 
all  obligations,  the  proper  recording  of  revenues  and  expenditures,  efficient  and  effective 
management  of  resources,  and  that  attention  be  placed  on  preventing  mismanagement  and 
correcting  specific  weaknesses  (DoDD  5010.38,  1984).  Another  policy  this  directive  set 
forth  was  to  involve  all  levels  of  management  while  also  designating  a  senior 
management  official  as  having  overall  responsibility  for  the  design,  direction,  and 
implementation  of  the  IMC  program.  Lastly,  this  policy  mandates  the  submission  of  a 
“statement  of  assurance”  to  the  Secretary  of  Defense  regarding  the  adequacy  of  the  IMC 
system  with  respect  to  meeting  program  standards,  goals,  and  objectives,  (DoD  5010.38, 
1984). 

Concerning  procedures,  Directive  5010.38  requires  each  DoD  component  to 
develop  an  IMC  program  that  includes  elements  such  as  “organizing  the  IMC  process, 
segmenting  the  components  into  assessable  units,  conducting  vulnerability  assessments 
on  those  units,  developing  plans  for  subsequent  action,  conducting  IMC  reviews  or 
appropriate  management  actions,  scheduling  and  taking  corrective  action,  providing  for 
quality  control,  and  preparing  reports”  (DoD  5010.38,  1984). 
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L.  DOD  DIRECTIVE  5010.40;  MANAGEMENT  IMPROVEMENT 

PROGRAM,  1952 

The  DoD  issued  Directive  5010.40,  Management  Improvement  Program:  Work 
Measurement  System  and  Standards  of  Performance,  on  August  21,  1952.  According  to 
the  directive,  its  purpose  was  to  recognize  the  Military  Departments’  efforts  in 
developing  and  establishing  Work  Measurement  Systems  and  to  assure  continued 
attention  in  the  essential  elements  of  Management  Improvement  Programs  (DoD 
5010.40,  1952,  p.  1).  The  directive  encouraged  and  provided  for  the  maximum  exchange 
of  information  on  metrics  and  metric  systems;  although  it  did  not  require  standardization 
across  DoD.  The  Work  Measurement  and  Metric  Systems  were  primarily  a  quantitative 
measure  of  work  performed.  The  directive  outlined  a  metric  system  that  was  based  upon 
standard  output  and  statistical  formulas  when  considering  the  mean,  variance,  and 
standard  deviations  used  in  comparing  actual  output  (DoD  5010.40,  1952). 

M.  DOD  INSTRUCTION  5010.40;  MANAGEMENT  CONTROL  PROGRAM 

PROCEDURES 

Standard  Subject  Identification  Code  (SSIC)  5010.40  began  as  a  Directive  in 
1952.  Specific  documentation  of  migration  of  the  directive  into  an  instruction  was  not 
found.  However,  SSIC  5010.40  reemerged  as  a  DoD  Instruction  (5010.40D,  Management 
Control  (MC)  Program  Procedures)  on  August  28,  1996.  This  instruction  established 
procedures  for  implementing  and  executing  the  Managers’  Internal  Control  (MIC) 
Program.  The  SSIC  5010.40  began  as  a  performance  measurement  system  and  evolved 
into  a  robust  IMC  program.  The  management  control  program  and  procedures  mandated 
the  following  requirements  for  all  DoD  Components:  to  evaluate  and  identify  the  need  for 
Internal  Controls;  monitor  their  effectiveness  through  a  process  they  determine;  report  the 
adequacy  of  the  system’s  internal  controls;  and  correct  management  control  weaknesses 
(DoD  5010.40,  1996). 

The  Office  of  the  Under  Secretary  of  Defense  (Comptroller)  is  responsible  for 
implementing  and  managing  the  Secretary  of  Defense's  program  over  internal 
management  controls.  This  instruction  cites  over  twenty  different  references  with  the 
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major  purpose  of  implementing  "Federal  Managers'  Financial  Integrity  Act  of  1982”  and 
OMB  No.  123.  As  discussed  in  the  previous  paragraph,  the  DoD  Instruction  5010.40,  MC 
Program  Procedures,  January  4,  2006  canceled  the  1996  Instruction.  DoD  Instruction 
5010.40  implements  both  DoD  Directive  5010.38  and  31  U.S.C.  3512.  The  DoDI 
5010.40  also  establishes  the  DoD  Senior  Assessment  Team  and  recognizes  the  changes  to 
OMB  Circular,  No.  123  of  2005.  DoD  Instruction  5010.40  also  reemphasizes  the  Federal 
Manager's  Financial  Integrity  Act  (FMFIA)  as  implemented  through  the  DoD  Managers' 
Internal  Control  Program  (MICP)  that  requires  all  DoD  managers  to  review,  assess,  and 
report  on  the  effectiveness  of  internal  management  controls  within  the  Department  of 
Defense.  Additionally,  DoD  Instruction  5010.40  requires  the  head  of  each  DoD 
Component  to  assign  IC  responsibility  to  civilian  and  military  leaders/managers 
throughout  the  DoD  and  provide  trained  personnel  for  planning,  directing,  and 
implementing  the  MIC  program  (DoD  5010.40,  2006). 

N.  SECRETARY  OF  THE  NAVY  INSTRUCTION  (SECNAVINST)  5200.35 

SECNAVINST  5200.35,  (the  Managers’  Internal  Control  (MIC)  program 
regarding  internal  controls  across  the  DoN)  was  issued  prior  to  1987.  The  actual  date  of 
the  first  publication  of  SECNAVINST  5200.35  could  not  be  confirmed.  However, 
SECNAVINST  5200.35  was  found  as  a  reference  contained  within  SECNAVINST 
5430. 92A,  August  20,  1987.  The  most  recent  rendition  of  SECNAVINST  5200. 35E  was 
issued  on  November  8,  2006  and  is  used  as  the  current  document. 

This  instruction  specifies  guidance  for  implementing  an  internal  control  program 
throughout  the  DoN.  The  internal  control  program  serves  as  management’s  basis  for  the 
DoN  annual  Statement  of  Assurance.  The  SECNAV  Instruction  5200. 35E  outlines  the 
responsibilities  of  DoN  personnel  with  regard  to  the  proper  stewardship  of  Federal 
resources  as  a  basic  obligation  of  their  public  service.  SECNAV  Instruction  5200. 35E 
also  seeks  to  ensure  that  government  resources  are  used  in  compliance  with  applicable 
laws  and  regulations  while  minimizing  the  potential  for  waste,  fraud,  and  abuse.  This 
instruction  is  the  primary  reference  used  in  developing  the  DoN  Managers’  Internal 
Control  Manual,  SECNAV  M-5200.35.  The  manual  is  applicable  to  the  Offices  of  the 
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Secretary  of  the  Navy,  The  Chief  of  Naval  Operations  (CNO),  the  Commandant  of  the 
Marine  Corps  (CMC),  and  all  Navy  and  Marine  Corps  activities,  installations, 
commands,  ships,  and  stations,  (SECNAV  M-5200.35,  2008). 

O.  ESTABLISHED  HISTORICAL  SIGNIFICANCE 

The  previous  discussion  identifies  a  progression  of  internal  management  control 
processes  and  philosophies.  This  progression  of  strengthening  internal  management 
controls  through  various  processes  and  perspectives  is  believed  by  the  authors  to  embody 
the  spirit  and  intent  behind  the  development  of  these  documents  and  references. 

In  tracing  the  historical  background  and  origin  of  internal  control  processes 
throughout  the  federal  government,  the  authors  have  identified  several  evolutionary 
changes.  The  Budget  and  Accounting  Act  of  1921  documented  a  concern  for  Internal 
Management  Control  processes  within  the  federal  government.  A  review  of  the  core 
statutory  and  regulatory  documents  suggest  that  there  was  a  shift  from  merely  creating, 
establishing,  and  mandating  internal  management  controls  to  the  emergence  of 
performance  measurement  systems  a  part  of  evaluating  internal  controls.  Review  of 
reference  materials  indicate  that  within  the  past  two  decades,  the  development  of 
overarching  programs  to  address  internal  management  controls  has  taken  precedence. 
This  development  of  internal  management  programs  directly  contributed  to  the  creation, 
development,  and  continued  improvements  of  the  IMC  Program  and  MIC  manual. 
Finally,  one  could  argue  that  the  buildup  of  federal  directives,  instructions,  policies, 
procedures,  and  programs  has  resulted  in  more  complex  and  cumbersome  reporting 
requirements. 
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III.  INTERNAL  CONTROL 


A.  DISCUSSION 

As  previously  discussed  in  Chapter  II,  internal  controls  have  evolved  over  time 
within  the  federal  government.  Before  explaining  the  changes  that  have  occurred  within 
the  federal  government  (and  in  corporate  America),  it  is  necessary  to  first  discuss  the 
meaning  and  noteworthiness  of  internal  controls.  This  chapter  focuses  on  defining  and 
discussing  various  perspectives  regarding  the  purpose  of  internal  controls.  The  authors  of 
this  report  also  seek  to  explore  the  effectiveness  and  fit  of  internal  controls  as  it  is 
currently  defined  and  interpreted  within  the  federal  government.  In  addition  to  the 
aforementioned  topics,  discussions  surrounding  the  GAO  standards  and  components  of 
internal  control,  the  various  methods  in  which  an  organization  can  express  internal 
control  requirements,  and  identification  of  some  of  the  limiting  factors  of  internal 
controls  are  addressed.  Finally,  a  section  regarding  internal  control  sustainment  is 
presented  as  a  necessary  and  important  function  of  managing  internal  controls. 
Ultimately,  these  discussions  aid  in  the  assessment  of  the  MIC  Manual’s  effectiveness  in 
aligning  an  organization’s  mission,  organizational  philosophy,  management  strategy, 
goals,  metrics,  sustainment  efforts  and  improvement  programs. 

B.  INTERNAL  CONTROLS  DEFINED 

What  is  internal  control  and  what  are  the  objectives  in  having  these  controls? 
Depending  upon  the  desired  outcome  or  objectives  being  sought,  organizations  have 
historically  defined  internal  control  differently.  According  to  Whittington  and  Pany,  both 
professors  and  authors  within  the  auditing  field,  differing  perspectives  “have  long  existed 
about  the  meaning  and  objectives  of  internal  control.  Until  the  early  1990s,  many  people 
interpreted  the  tenn  internal  control  as  the  steps  taken  by  a  business  to  prevent  fraud  - 
both  misappropriation  of  assets  and  fraudulent  financial  reporting,”  (Whittington  &  Pany, 
2007,  p.  246).  One  of  the  first  publications  containing  a  formal  definition  of  the  term 
internal  control  can  be  found  in  a  1949  American  Institute  of  Accountants  (AIA)  Bulletin 
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which  stated:  “Internal  control  comprises  the  plan  of  organizing  and  all  of  the  co-ordinate 
methods  and  measures  adopted  within  a  business  to  safeguard  its  assets,  check  the 
accuracy  and  reliability  of  its  accounting  data,  promote  operational  efficiency,  and 
encourage  adherence  to  prescribed  managerial  policies”  (AIA,  1949,  p.  6).  Other 
definitions  appear  to  be  focused  more  on  the  financial  portion  of  the  business,  protecting 
assets,  and  planning  for  the  future.  As  an  example,  “Internal  control  refers  to  the  design 
and  utilization  of  all  of  the  means  whereby,  from  a  financial  standpoint,  management  is 
enabled  most  effectively  to  safeguard  the  company’s  assets,  administer  the  current 
operations  and  plan  for  the  future”  (Cadmus  &  Child,  1953,  p.  4).  Additionally,  Cadmus 
and  Child  refer  to  internal  control  measures  as  applications  that  management  should  also 
use  to  implement  their  plans  and  management  philosophy  regarding  the  operation  and 
structure  of  an  organization  (Cadmus  &  Child,  1953,  p.  4). 

Consistent  with  Cadmus  and  Child’s  view,  Whittington  and  Pany  point  out  that 
“Others,  while  acknowledging  the  importance  of  internal  control  for  fraud  prevention, 
believe  that  internal  control  has  an  equal  role  in  assuring  control  over  manufacturing  and 
other  processes  (Whittington  &  Pany,  2007,  p.  246).  The  acknowledgment  that  internal 
controls  encompassed  much  more  than  merely  deterring  fraud  prompted  a  set  of 
professional  organizations  in  corporate  America  to  form  a  committee  to  consolidate 
internal  control  concepts.  This  committee,  the  Committee  of  Sponsoring  Organizations 
(COSO)  would  later  produce  the  following  definition  of  internal  control: 

A  process,  effected  by  the  entity’s  board  of  directors,  management,  and 
other  personnel,  designed  to  provide  reasonable  assurance  regarding  the 
achievement  of  objectives  in  the  following  categories:  Reliability  of 
financial  reporting,  effectiveness  and  efficiency  of  operations,  and 
compliance  with  applicable  laws  and  regulations.  (Whittington  &  Pany, 

2007,  p.246) 

In  trying  to  detennine  how  the  federal  government  currently  defines  and  views 
internal  controls,  we  refer  to  Chapter  II  where  we  discussed  that  internal  controls  became 
a  primary  focus  of  the  passage  of  the  FMFIA  in  1982.  As  previously  stated,  the  FMFIA 
Act  not  only  mandated  federal  organizations  assess  whether  or  not  each  internal  control 
system  was  in  compliance  with  requirements,  but  it  also  required  the  General  Accounting 
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Office  (GAO)  to  issue  standards  for  internal  control  in  government.  These  standards  for 
internal  control  in  government  can  be  found  in  a  report  titled  “Standards  for  Internal 
Control  in  the  Federal  Government,”  (GAO/ AIMD-00-2 1.3.1,  1999).  In  this  report, 
GAO’s  definition  of  internal  control  essentially  mirrors  COSO’s  definition,  although 
GAO  describes  internal  controls  as  “A  major  part  of  managing  an  organization.  It 
comprises  the  plans,  methods,  and  procedures  used  to  meet  missions,  goals,  and 
objectives,  and  in  doing  so,  support  perfonnance-based  management.  Internal  control 
also  serves  as  the  first  line  of  defense  in  safeguarding  assets”  (GAO/ AIMD-00-2 1.3.1, 
1999).  The  definition  also  makes  reference  to  obtaining  desired  results  through  judicious 
stewardship  of  public  funds  and  scarce  resources.  As  the  importance  and  focus  on 
internal  controls  grew  within  the  private  sector  and  federal  government,  internal  control 
requirements  became  increasingly  well-defined  and  more  stringent  (GAO/AIMD-OO- 
21.3.1,  1999). 

C.  STANDARDS  /  COMPONENTS  OF  INTERNAL  CONTROL 

For  over  50  years,  discussions  surrounding  the  components  of  internal  control 
have  been  the  topic  of  discussion  in  various  texts.  In  particular,  in  1953,  authors  Cadmus 
and  Child  stated  that  internal  controls  included  “organization  structure,  procedures, 
accounting  and  other  records,  reports,  standards  of  performance,  and  internal  auditing” 
(Cadmus  &  Child,  1953,  p.  5).  In  reviewing  Cadmus  and  Child’s  description  of  internal 
controls,  one  could  draw  the  conclusion  that  the  focus  of  internal  controls  was  primarily 
based  on  desired  outcomes  as  well  as  efforts  to  prevent  fraud  and  safeguard  assets.  This 
example  of  internal  control  components  yields  some  interesting  and  distinct  differences 
when  comparing  the  components  as  they  are  viewed  today.  Although  similarities  do  exist, 
the  following  discussions  on  contemporary  internal  control  standards  and  components 
display  the  evolution  of  internal  controls  throughout  history. 

As  part  of  the  research  in  this  section  on  internal  control,  two  sources  were 
selected  for  discussion.  The  sources  are  GAO  Report  (GAO/AIMD-OO-2 1.3.1,  1999) 
titled  “Standards  for  Internal  Control  in  the  Federal  Government,”  and  a  book  authored 
by  Whittington  and  Pany  titled  “The  Principles  of  Auditing  and  Other  Assurance 
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Services”  (2007).  The  GAO  report  was  generated  to  address  internal  controls  within  the 
federal  government  while  the  Whittington  and  Pany  model  discusses  components  of 
internal  controls  that  are  generally  applied  within  Corporate  America.  Both  the 
government  (GAO’s  Standards)  and  civilian  sector  (Whittington  and  Pany’s 
Components)  models  are  fundamentally  the  same  although  the  authors  noted  two  subtle 
variations.  First,  there  is  a  difference  in  the  tenninology  used  in  describing  the  standards 
(or  components)  which  a  sound  internal  control  should  possess.  Second,  there  is  a 
difference  between  the  GAO’s  Information  and  Communication  standard  as  compared  to 
Whittington  and  Pany’s  Accounting  Information  System  subset  of  the  five  components  of 
internal  control.  So  as  not  to  limit  the  scope  of  assessing  internal  control  within  the  MIC 
manual  and  give  the  authors  a  better  understanding  of  internal  control 
standards/components,  both  the  government  (GAO’s  Standards)  and  civilian  sector 
(Whittington  and  Pany’s  Components)  models  were  considered  and  discussed  below. 

The  GAO  report  (GAO/ AIMD-00-2 1.3.1,  1999)  developed  five  standards  for 
internal  control  which  apply  to  the  federal  government.  These  standards  were  developed 
by  GAO  because  of  a  requirement  by  the  FMFIA  which  tasked  GAO  to  “issue  standards 
for  internal  control  in  government”  (GAO/AIMD-OO-2 1.3.1,  1999,  p.  1).  These  standards 
also  take  into  consideration  the  GPRA  of  1993,  which  has  already  been  discussed  as 
requiring  clarity  on  mission,  strategy,  and  goals.  These  five  standards  are  the  Control 
Environment,  Risk  Assessment,  Control  Activities,  Information  and  Communications, 
and  Monitoring.  These  standards  define  the  minimum  level  of  quality  acceptable  for 
internal  control  in  government  and  provide  the  basis  against  which  internal  control  is  to 
be  evaluated”  (GAO/AIMD-OO-2 1.3.1,  1999,  p.  7). 

The  Control  Environment  seeks  to  foster  a  positive  environment  within  the 
organization  in  order  to  maintain  and  strengthen  internal  controls  (GAO/AIMD-OO- 
21.3.1,  1999,  p.  8).  The  control  environment  is  described  as  the  cornerstone  by  which  all 
other  standards  are  built  upon  and  can  be  affected  by  several  factors.  First,  the 
organization  should  possess  an  atmosphere  that  exhibits  strong  ethical  values.  Another 
factor  involves  the  necessity  of  all  parties  being  competent  in  their  duties.  Management’s 
operating  style,  philosophy,  and  the  organization’s  ability  to  provide  adequate  training 
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are  also  other  important  factors  which  fall  within  the  control  environment  (GAO/AIMD- 
00-21.3.1,  1999,  p.  8).  A  poor  management  philosophy  towards  implementing, 
maintaining  or  monitoring  a  control  measure  can  have  a  substantial  negative  impact  on 
internal  control  overall.  Having  a  sound  organizational  structure  is  yet  another  factor  that 
can  affect  the  control  environment.  A  weak  organizational  structure  lacks  a  sound 
framework  and  does  not  adequately  delineate  areas  of  authority  or  responsibility; 
something  which  can  impede  successful  accomplishment  of  any  organizational  objective. 
Finally,  the  ability  to  establish  and  maintain  sound  relationships  with  oversight  agencies 
can  also  impact  the  control  environment  (GAO/ AIMD-00-2 1.3.1,  1999,  p.  9). 

Risk  Assessment,  the  second  GAO  standard  for  internal  control  includes  assessing 
both  internal  and  external  threats.  According  to  the  GAO  report,  risk  assessment  “is  the 
identification  and  analysis  of  relevant  risks  associated  with  achieving  the  objectives,  such 
as  those  defined  in  strategic  and  annual  performance  plans...  and  forming  a  basis  for 
determining  how  risks  should  be  managed”  (GAO/AIMD-OO-2 1.3.1,  1999,  p.  10).  Other 
considerations  outlined  in  the  GAO  report  include  the  methods  used  in  identifying  risk 
(forecasting,  planning,  results  from  audit  findings,  and  quantitative  and  qualitative 
ranking  mechanisms)  and  the  likelihood  of  the  risk  occurring.  Finally,  mechanisms  used 
in  assessing  risk  should  be  flexible  and  applicable  to  a  wide  range  of  frequent  changes 
throughout  various  government  agencies  (GAO/ AIMD-00-2 1.3.1,  1999,  p.  1 1). 

The  third  GAO  standard  for  internal  control  is  Control  Activities.  Control 
activities  are  established  to  ensure  that  the  directives  from  management  are  executed  in 
an  effective  and  efficient  manner.  Control  activities  “are  the  policies,  procedures, 
techniques,  and  mechanisms  that  enforce  management’s  directives... control  activities 
occur  at  all  levels... and  include  a  wide  range  of  diverse  activities  such  as  approvals, 
authorizations,  reconciliations,  performance  reviews,  maintenance  of  security,  and 
records  which  provide  evidence  of  execution,  (GAO/AIMD-OO-2 1.3.1,  1999,  p.  11).  The 
GAO  identifies  over  10  different  categories  of  various  control  activities  that  can  be 
regularly  found  within  all  agencies.  Some  of  these  categories  include  the  need  for  having 
separation  or  division  of  duties  so  as  to  minimize  error  or  fraud,  physical  controls  over 
vulnerable  assets,  high-level  reviews  of  perfonnance,  effective  management  of  the 
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workforce,  recording  transactions  and  events  in  an  accurate  and  timely  fashion, 
restricting  access  and  having  accountability  over  various  resources  and  records,  and 
maintaining  proper  documentation  of  internal  control  transactions.  In  addition,  the  GAO 
dedicates  an  entire  section  to  categories  specifically  related  to  control  activities  for 
information  systems  such  as  networks  and  mainframes. 

Information  and  Communications',  the  forth  standard  for  internal  control  (as 
outlined  by  the  GAO)  stresses  the  importance  of  recording  and  communicating  the  flow 
of  information  in  a  timely  fashion  among  those  within  the  organization  who  have  the 
need  to  know;  thereby  giving  them  the  ability  to  execute  their  internal  control  and  other 
duties.  This  standard  of  internal  control  places  emphasis  on  the  flow  of  information  and 
communication  of  not  only  financial  data  but  operational  data  as  well.  This  standard  also 
highlights  the  benefits  of  developing  effective  internal  communication  within  an 
organization  as  well  as  maintaining  effective  communication  among  external 
stakeholders. 

The  last  of  the  five  standards  of  internal  control  under  the  GAO  model  is 
Monitoring.  Monitoring  is  a  vital  part  of  the  control  process  and  “should  assess  the 
quality  of  performance  over  time  and  ensure  that  the  findings  of  audits  and  other  reviews 
are  promptly  resolved...  It  is  performed  continually  and  is  ingrained  in  the  agencies 
operations.  It  includes  regular  management  and  supervisory  activities,”  (GAO/AIMD-OO- 
21.3.1,  1999,  p.  20).  The  standard  of  monitoring  can  occur  through  self-assessments, 
external  audits,  or  through  direct  testing  of  a  control,  and  it  is  essential  that  any  noted 
deficiencies  are  reported  to  the  individual  responsible  for  the  activity  as  well  as  reporting 
to  management  that  is  one  level  higher.  Lastly,  the  monitoring  function  should  include 
established  policies  and  procedures  for  the  prompt  resolution  of  any  negative  findings 
(GAO/AIMD-OO-2 1.3.1,  1999). 

Whittington  and  Pany  (2007)  identifies  the  components  of  internal  control  as 
follows:  “Internal  control  of  an  organization  may  be  viewed  as  including  five 
components:  The  control  environment,  the  risk  assessment  process,  the  accounting 
information  system,  control  activities,  and  the  monitoring  of  controls”  (p.  248).  The 
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accounting  information  system  and  monitoring  components  within  the  Whittington  and 
Pany  model  differ  from  that  of  the  GAO  standards.  These  differences  are  described  in  the 
following  paragraphs. 

The  control  environment  seeks  to  incorporate  not  only  the  organizational 
structure,  but  also  control  measures  involving  ethical  values,  the  assignment  of  authority 
and  responsibility,  and  all  human  resource  policies  and  practices  within  an  organization. 
The  control  environment  also  includes  such  factors  as  the  operating  style  of  management 
as  well  as  the  integrity  and  commitment  to  competence  of  the  individuals  within  the 
organization. 

Risk  assessment,  something  that  is  not  directly  specified  in  the  1953  list  of 
components  of  internal  control,  involves  an  array  of  considerations  that  an  organization 
should  seek  to  control.  Rapid  growth,  changes  in  personnel,  the  use  of  a  new  information 
system,  regulatory  or  technology  changes,  and  the  introduction  of  new  processes  all 
require  attention  and  adequate  control  measures.  Note  that  the  risk  assessment  component 
of  internal  control  is  relevant  not  only  to  the  financial  objectives  of  an  organization,  but 
also  includes  the  financial,  operational,  and  compliance  objectives  of  an  organization  as 
is  the  case  in  the  GAO  model. 

The  Accounting  information  system  component  of  internal  control  is  very  similar 
to  the  “accounting  and  other  records”  component  listed  by  Cadmus  and  Child,  yet  it  is 
distinctly  different  from  the  GAO  model.  This  component  is  primarily  focused  on 
controlling  financial  operations  involving  the  identification,  recording  and  timeliness  of 
valid  transactions,  proper  measurement  of  value  and  reporting  the  correct  time  periods  of 
transactions,  and  ensuring  control  measures  exist  in  order  to  accurately  represent  these 
transactions  on  a  financial  statement.  The  GAO  model  focuses  not  only  on  financial  data 
but  emphasizes  the  analysis  of  operational  data  as  well. 

The  control  activity  as  a  component  of  internal  control  refers  to  areas  such  as  the 
processing  of  information,  perfonnance  reviews,  the  types  of  physical  controls  put  in 
place  to  safeguard  infonnation,  and  the  separation  of  power  among  those  in  the 
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organization.  Unlike  Cadmus  and  Child  who  list  standards  of  performance  as  a 
component  of  internal  control  in  itself,  the  Whittington  and  Pany  model  identifies 
standards  of  perfonnance  as  a  sub-category  of  control  activities. 

Monitoring  of  ongoing  organizational  activities  is  the  last  component  of  internal 
control.  The  monitoring  of  controls  entails  focusing  on  both  common  activities  as  well  as 
infrequent  activities  such  as  internal  audits.  In  addition  to  monitoring  control  activities, 
the  monitoring  component  of  internal  control  also  emphasizes  monitoring  the  overarching 
system  or  program  that  has  been  established  to  monitor  internal  controls.  In  other  words, 
an  organization  must  monitor  the  internal  control  program’s  effectiveness  in  addition  to 
those  activities  contained  within  the  program.  (Whittington  &  Pany,  2007,  pp.  248-256) 

To  summarize,  both  the  GAO  and  Whittington  and  Pany’s  models  of  the  five 
standards/components  of  internal  controls  largely  mirror  one  another  in  overall  content. 
However,  there  were  two  distinct  differences  among  both  models.  The  GAO  model  is 
unique  in  assessing  the  Information  and  Communications  standard.  Unlike  the 
Whittington  and  Pany  model,  this  GAO  standard  does  not  limit  the  focus  of  information 
and  communication  flow  to  financial  data  but  rather  considers  and  includes  the 
information  flow  of  operational  data  as  well.  Conversely,  it  is  also  important  to  note  that 
the  Whittington  and  Pany  model’s  monitoring  component  included  the  monitoring  of  the 
overarching  systems  or  programs  of  internal  controls  whereas  the  GAO  model  does  not. 

D.  LIMITING  FACTORS  OF  INTERNAL  CONTROL 

There  are  several  factors,  which  can  limit  any  internal  control.  Each  has  the 
capability  to  act  as  a  barrier  in  effectively  controlling  a  particular  function  of  an 
organization.  Possessing  awareness  of  these  limiting  factors  can  therefore  aid  those  who 
seek  to  maximize  the  effectiveness  of  an  operation. 

Some  of  the  limiting  factors  of  internal  control  include  excessive  cost,  internal 
controls  that  are  too  complicated  to  be  understood  by  those  who  are  supposed  to  abide  by 
the  control  measures,  and  users  who  are  too  fatigued  or  exercise  poor  judgment 
(Whittington  &  Pany,  2007,  p.  256).  Although  an  internal  control  may  be  feasible  in 


28 


theory,  efforts  to  apply  the  control  may  be  unsuccessful  because  of  its  complexity.  The 
control  measure  may  be  too  cumbersome  and  complex;  resulting  in  confusion  and 
misunderstanding. 

Recognizing  that  control  measures  provide  reasonable  assurance  rather  than 
absolute  assurance,  the  potential  for  management  to  override  control  measures,  and  the 
likelihood  of  stakeholders  reducing  compliance  to  an  established  control  measure  over 
time  are  additional  limiting  factors  (Whittington  &  Pany,  2007,  p.  256).  Concerning  cost, 
even  a  sound  internal  control  may  be  found  to  be  cost-ineffective  and  therefore  discarded. 
According  to  Merchant  and  Van  der  Stede  “because  of  control  costs,  perfect  control  is 
rarely  the  optimal  outcome;  what  is  optimal  is  control  that  is  good  enough  at  a  reasonable 
cost”  (Merchant  &  Van  der  Stede,  2007,  p.  1 1). 

Based  on  the  literature,  these  limiting  factors  appear  applicable  to  both  the  federal 
government  and  corporate  America.  Although  the  focus  on  implementing  internal 
controls  shifted  from  one  limiting  factor  to  another  over  time  (for  example,  from  a  focus 
on  reducing  common  errors  to  a  focus  on  preventing  fraud  due  to  collusion),  a  shared 
theme  in  maintaining  awareness  of  limiting  factors  of  internal  control  has  continued  to 
exist  over  time.  One  limiting  factor  regarding  internal  control,  which  the  authors  of  this 
report  believe,  has  particular  merit  and  discussion  involves  having  too  many  internal 
controls.  Arguably,  having  too  many  internal  controls  lays  the  groundwork  for  micro- 
management  and  can  potentially  detract  from  other  more  important  and  existing  internal 
controls.  In  researching  and  reviewing  the  literature,  the  authors  found  little 
documentation  or  discussions  surrounding  excessive  internal  controls  as  a  limiting  factor. 
Rather,  the  discussions  focused  on  the  relevancy  of  internal  controls.  Specifically,  the 
authors  of  Internal  Control  Against  Fraud  and  Waste  presented  the  point  that  “even 
though  a  certain  control  measure  is  possible,  it  may  not  be  necessary  or  desirable...  Does 
it  control  something  that  is  worth  while  to  control?”  (Cadmus  &  Child,  1953,  p.  304).  As 
previously  stated,  the  authors  of  this  report  are  of  the  opinion  that  too  many  internal 
controls,  which  are  either  duplicative  or  irrelevant,  can  inhibit  other  existing  and  essential 
controls.  More  importantly,  overly  complex  or  excessive  control  negatively  impacts 
effectiveness  and  can  reach  a  level  more  critical  than  that  of  other  limiting  factors 
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previously  discussed.  The  relevance  in  discussing  this  issue  becomes  apparent  in  the 
following  chapters  where  we  evaluate  the  MIC  program  and  the  level  of  control  measures 
contained  within  the  program  and  manual. 

E.  COMMON  METHODS  IN  PRESENTING  INTERNAL  CONTROLS  TO 

STAKEHOLDERS 

Internal  controls  are  most  effective  when  they  are  flexible  to  a  changing 
environment  and  can  be  clearly  understood  by  all  parties  involved.  Internal  controls  and 
processes  should  therefore  be  well-defined  and  clearly  presented  by  management  so  those 
charged  with  physically  carrying  out  the  function  or  process  clearly  understand.  Several 
different  methods  can  be  used  to  increase  the  likelihood  of  expressing  internal  controls  to 
stakeholders  in  an  understandable  manner.  The  training  of  personnel  (whether  it  be 
formal  training  or  on  the  job  training)  is  an  essential  portion  of  presenting  an  internal 
control  function.  The  methods  in  which  a  control  measure  can  be  presented  include 
reading  material,  the  use  of  flowcharts,  and  other  communication  mediums  (Whittington 
&  Pany,  2007,  p.  263).  Using  various  communication  methods  to  not  only  explain  the 
control  measure  but  to  also  present  how  the  control  measure  impacts  the  entire 
organization  often  results  in  an  even  stronger  understanding  of  internal  controls. 
Additionally,  analyzing  a  process,  design,  or  function  from  its  initial  stage  through 
completion  yields  a  powerful  understanding  of  a  system  and  the  associated  internal 
controls  that  have  been  set  in  place,  (Whittington  &  Pany,  2007,  p.  263). 

Whittington  and  Pany  place  emphasis  on  flowcharts  as  being  the  superior  method 
in  expressing  internal  controls.  Not  only  do  they  suggest  that  a  flowchart  “provides  a 
clearer,  more  specific  portrayal  of  a  client’s  system”  (Whittington  &  Pany,  2007,  p.  263), 
but  also  make  the  assertion  that  “there  is  less  opportunity  for  misunderstanding,  blank 
spots,  or  ambiguous  statements  when  one  uses  lines  and  symbols  (flowchart)  rather  than 
words  to  describe  internal  control”  (Whittington  &  Pany,  2007,  p.  263). 

Possessing  a  clear  understanding  of  an  internal  control  measure  coupled  with  an 
understanding  on  how  the  internal  control  impacts  other  functions  of  the  organization  is 
arguably  the  desired  goal  when  presenting  internal  controls  to  stakeholders.  Within  the 
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federal  government  (and  specifically  the  DoD  and  DoN),  the  authors  found  multiple 
examples  of  presenting  internal  controls.  The  most  common  approach  is  likely  through 
written  narratives  and  guidance  such  as  published  directives,  instructions,  regulations, 
manuals,  standard  operating  procedures  (SOP’s),  memorandums  of  understanding 
(MOU’s)  and  alike.  The  majority  of  federal  government  documents  reviewed  regarding 
internal  control  systems  and  programs  (such  as  OMB  Circular  A- 123,  DoD  Directive 
5010.38,  DoD  Instruction  5010.40,  and  SECNAVINST  5200. 35D)  did  not  use  flowcharts 
as  a  method  of  presenting  internal  control  processes.  The  above  section  is  applicable 
since  the  authors’  review  the  material  contained  within  the  MIC  manual  and  assesses  how 
it  is  presented.  Assessing  how  the  MIC  manual  presents  material  will  assist  the  authors  in 
determining  the  manual’s  ease  of  use  and  application  throughout  the  DoN. 

F.  INTERNAL  MANAGEMENT  CONTROL  SYSTEMS 

“Internal  Controls  (IC’s)  and  Internal  Management  Controls  (IMC’s)  are 
considered  synonymous”  (SECNAVINST  5200. 35E,  2006,  p.  1).  The  purpose  of 
identifying  IC’s  and  IMC’s  as  being  synonymous  is  to  facilitate  a  comprehensive 
understanding  of  what  IMC  systems  are,  and  what  they  are  designed  to  accomplish. 
There  are  numerous  situations  and  possible  applications,  which  require  IMC’s  and  IMC 
systems;  as  are  the  types  and  terms  used  to  identify  them.  For  example,  the  terms 
Business  Intelligence  (BI),  Business  Activity  Monitoring  (BAM),  Enterprise  Decision 
Management  (EDM),  Enterprise  Metrics  Management  (EMM)  and  Balance  Score  Card 
are  examples  of  IMC  systems. 

These  IMC  systems  share  philosophies  for  identifying  specific  tasks  or  functions 
that  require  IC’s  and  define  how  to  effectively  institute  IC’s  as  part  of  the  larger  system. 
Poor  planning  and  implementation  of  management  systems  fail  to  link  financial  systems, 
resources  allocation,  budgeting,  process  improvement  programs,  and  long-term  strategies. 
To  minimize  the  potential  gaps  in  effectively  implementing  an  IMC  system,  Kaplan  and 
Norton  recommend  using  the  Balance  Scorecard  as  a  Strategic  Management  System.  The 
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Balance  Scorecard  not  only  describes  processes  for  managing  strategy,  but  also  facilitates 
the  effective  implementation  of  IMC  systems  (Kaplan  &  Norton,  1996).  The  four 
processes  for  managing  strategy  that  Kaplan  and  Norton  discuss  are: 

•  Translate  the  Vision  -  For  people  to  act  on  the  words  contained  in  the 
vision  strategy  statement,  the  statements  must  be  expressed  as  an 
integrated  set  of  objectives  and  measures,  and  be  agreed  upon  by  all  senior 
executives  that  describe  the  long-term  drivers  for  success. 

•  Communicating  and  Linking  -  This  function  lets  managers  communicate 
their  strategy  up  and  down  the  organization  and  link  it  to  departmental  and 
individual  objectives. 

•  Business  Planning  -  This  function  enables  companies  to  integrate  their 
business  and  financial  plans.  This  is  an  important  concept  because  most 
organizations  have  separate  procedures  and  organizational  units  for 
strategic  planning  and  for  resource  allocation  and  budgeting. 

•  Feedback  and  Learning  -  This  gives  companies  the  capacity  for  strategic 
learning.  Most  companies  today  operate  in  a  turbulent  environment  with 
complex  strategies...  In  an  environment  where  new  threats  and 
opportunities  arise  constantly,  companies  must  be  capable  of  learning 
through  feedback.  (Kaplan  &  Norton,  1996,  p.  1-3) 

According  to  Kaplan  and  Norton,  the  four  processes  are  characteristics  of 
successful  IMC  system  because  the  system  establishes  a  “link  to  a  company’s  long  term 
strategy  with  its  short  term  actions”  (Kaplan  &  Norton,  1996,  p.  1).  Successful  IMC 
systems  are  designed  to  give  the  necessary  tools  to  the  entire  enterprise  and  increase 
corporate  understanding.  In  order  to  facilitate  a  successful  IMC  program,  it  is  imperative 
for  organizations  to  achieve  both  successful  alignment  of  existing  IMC’s  as  well  as  gain 
corporate  buy  in  (Green  &  Ryan,  2005,  p.  45).  Ultimately,  “the  intrinsic  knowledge  or  the 
collective  intelligence  of  the  people  within  a  business  enterprise  is  believed  to  be  the 
largest  asset,”  (Green  &  Ryan,  2005,  p.  44). 

G.  INTERNAL  MANAGEMENT  CONTROL  SYSTEM  EFFICIENCY 

Incorporating  the  five  key  components  that  determine  the  effectiveness  of  IC,  the 
Committee  of  Sponsoring  Organizations  (COSO)  of  the  Treadway  Commission 
introduced  a  model  or  framework  designed  to  assist  organizations  in  the  review, 
evaluation  and  improvement  of  their  IMC  systems  (Steinberg  &  Tanki,  1993,  p.  1).  In 
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September  1992,  COSO  released  a  report  titled  “Internal  Control  -  Integrated 
Framework.”  The  purpose  of  this  report  was  to  “present  a  common  definition  of  internal 
control  to  meet  the  needs  of  diverse  users  and  provides  a  framework  against  which 
entities  can  assess  and  improve  their  internal  control  systems”  (Steinberg  &  Tanki,  1993, 
p.  1).  According  to  the  COSO  report,  the  internal  control  integrated  framework  concept  is 
based  on  the  following  premises: 

•  Internal  control  is  a  process.  It  is  a  means  to  an  end,  not  an  end  in  itself. 

•  Internal  control  is  not  merely  documented  by  policy  manuals  and  fonns. 
Rather,  it  is  an  action  put  in  to  play  by  people  at  every  level  of  an 
organization. 

•  Internal  control  can  provide  only  reasonable  assurance,  not  absolute 
assurance,  to  an  entity’s  management  and  board. 

•  Internal  control  is  geared  to  the  achievement  of  objectives  in  one  or  more 
separate  but  overlapping  categories.  (Whittington  &  Pany,  2007,  p.  247) 

These  premises  make  up  the  foundation  on  which  COSO’s  integrated  framework  can  be 
used  to  provide  a  sound  basis  for  establishing  internal  control  systems  and  determining 
their  effectiveness  (Applegate  &  Wills,  1999).  Additionally,  these  premises  can  assist 
management  in  gaining  firmer  control  over  an  organization's  activities  (Steinberg  & 
Tanki,  1993,  p.  2).  The  report  goes  even  further  by  providing  a  standard  to  which  an  IMC 
system  can  be  measured  for  effectiveness: 

The  effectiveness  of  an  internal  control  system  is  measured  by  its  capacity 
to  provide  reasonable  assurance  to  the  board  of  directors  and  management 
that  these  three  objectives  have  been  met;  effectiveness  and  efficiency  of 
operations,  reliability  of  financial  reporting  and  compliance  with 
applicable  laws  and  regulations.  (Simmons,  1997,  p.  69) 

Although  the  COSO  framework  is  not  the  only  model  available  to  evaluate  and 
analyze  an  IMC  system,  it  has  been  referenced  by  the  PCAOB  and  SEC  as  providing  an 
example  of  an  IC  system  as  required  by  sections  302  and  404  of  SOX,  (Bizmanualz, 
2008).  In  short,  the  framework  helps  ensure  that  the  alignment  of  IC  controls  with  the 
larger  system  remains  a  continual,  evolutionary  process;  a  benchmark  which  the  authors 
of  this  text  use  to  analyze  the  MIC  manual. 
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H.  SUSTAINING  INTERNAL  CONTROLS  AND  SYSTEMS 


In  order  to  sustain  internal  controls,  an  organization’s  management  and  leadership 
must  first  possess  the  desire  and  dedication  in  giving  internal  controls  the  attention  it 
requires.  Breesnahan  (2007)  argues  that  sustaining  internal  controls  requires  the 
organization  possess  a  unique  structure.  This  structure  involves  the  following 
characteristics. 

•  That  the  organization  have  an  effective  internal  control  program 

•  Focused  and  flexible  leaders 

•  Flexible  in  changing  controls  to  the  changing  environment 

•  The  ability  to  respond  adequately  to  updates,  testing,  and  remediation 

•  Continual  planning  (e.g.,  to  identify  risk,  allocate  resources) 

•  Ability  to  assess  and  determine  effectiveness  of  assessment  process 

•  Possess  a  proactive  cultural  mindset  (Bresnahan,  2007,  pp.  45-48) 

According  to  Bresnahan,  “OMB ’s  new  rules  are  clear  that  management  must  be 
proactive  in  detennining  that  controls  are  effective,”  (Bresnahan,  2007,  p.  45).  Bresnahan 
also  states  that  prior  to  OMB’s  new  rules,  there  existed  a  lack  of  concern  for  sustaining 
internal  controls.  Specifically,  “before  FY  2006,  internal  control  monitoring  in  many 
federal  agencies  was  a  paper  exercise,  hastily  conducted  at  the  end  of  each  fiscal  year. 
Now,  many  agencies  have  come  into  compliance  with  tough  new  rules  for  controls  over 
financial  reporting,”  (Bresnahan,  2007,  p.  45).  Bresnahan  alludes  to  the  importance  of 
attaining  buy-in  from  senior  leadership  as  well  as  senior  management  being  proactive 
with  respect  to  sustaining  internal  controls.  Without  continued  focus  and  support  from 
senior  leadership  in  dealing  with  internal  controls,  Bresnahan  warns  of  loss  in 
sustainment  structure  (Bresnahan,  2007). 

In  2006,  Candreva  published  an  article,  which  focused  on  reviewing  and 
interpreting  the  revised  OMB  Circular,  A- 123  (2004).  Candreva  expressed  the 
importance  of  an  organization  having  not  only  adequate  internal  controls  in  place,  but 
that  an  organization  should  also  implement,  monitor,  and  sustain  controls  throughout  the 
organization.  Additionally,  Candreva  placed  emphasis  on  management’s  obligation  to 
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maintain  internal  controls  (for  the  purpose  of  attaining  organizational  objectives),  and  the 
responsibility  of  “self-assessing,  correcting,  and  reporting  on  the  efficacy  of  those 
controls.  In  short,  controlling  the  internal  controls  is  the  new  standard”  (Candreva,  2006, 
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IV.  THE  MIC  MANUAL 


A.  DESCRIPTION 

The  purpose  of  this  chapter  is  to  provide  an  overview  of  the  Department  of  the 
Navy  Managers’  Internal  Control  (MIC)  Manual;  primarily  on  the  document’s  structural 
organization  and  content.  By  reviewing  the  content  and  structure  of  the  MIC  manual,  the 
authors  of  this  report  intend  to  provide  the  reader  with  adequate  background  knowledge 
necessary  to  understand  the  follow-on  discussions  in  upcoming  chapters. 

Revised  in  June  2008,  the  MIC  manual  is  a  45  page  document  that  is  published  by 
the  Assistant  Secretary  of  the  Navy,  Financial  Management  and  Comptroller 
(ASN(FM&C)).  This  manual  consists  of  a  foreword  from  the  ASN(FM&C)  which 
implements  the  immediate  use  of  the  manual  to  all  applicable  Offices  of  the  Secretary  of 
the  Navy,  the  Chief  of  Naval  Operations,  the  Commandant  of  the  Marine  Corps,  and  all 
Navy  and  Marine  Corps  activities,  commands,  installations,  ships,  and  stations 
(SECNAV  M-5200.35,  2008).  The  manual  specifies  procedures  for  implementing  an 
effective  internal  control  program  throughout  the  DoN  and  states  that  it  serves  as 
management’s  basis  for  the  DoN’s  annual  Statement  of  Assurance  (SOA)  to  the  SECDEF 
(SECNAV  M-5200.35,  2008). 

The  MIC  manual  is  revised  every  year  and  is  designed  to  assist  DoN 
Organizations  in  the  implementation  of  policy  set  forth  in  Department  of  Defense 
Instruction  (DoDI)  5040.40  Managers’  Internal  Control  (MIC)  Program  Procedures;  and  as 
outlined  in  SECNAVINST  5200.35,  DON  MIC  program  (DoDI  5040.40,  p.  1).  The  stated 
intent  was  to  develop  the  manual  into  a  product  which  provided  DoN  organizations  the 
necessary  tools  in  establishing  and  executing  an  effective  internal  control  program  and  to 
specify  the  procedures  required  to  properly  institute,  review,  assess,  and  report  on  the 
effectiveness  of  their  program’s  internal  controls  (DoDI  5040.40,  p.  2). 
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The  MIC  manual  lists  a  table  of  contents,  an  introduction  to  the  DoN  MIC 
Program,  and  a  MIC  program  overview  identifying  the  DoN  Major  Assessable  Units 
(MAU’s),  Senior  Management  Council,  Senior  Assessment  Team  (SAT),  and  Assessable 
Units.  The  MIC  program  overview  explains  the  program’s  organizational  unit  structure, 
associated  areas  of  responsibility,  accountability;  and  applicable  reporting  requirements 
for  each  level  of  management  responsible  for  an  IC  system. 

On  page  10  of  the  document,  the  MIC  manual  begins  to  describe  the  MIC 
Program  documentation  requirements  that  must  be  maintained  by  MAU’s  and  their 
immediate  subordinates.  These  requirements  include  generating  and  maintaining  risk 
assessment  documentation,  control  assessment  documentation,  a  corrective  action  plan, 
and  an  overall  Managers’  Internal  Control  (MIC)  plan  (SECNAV  M-5200.35,  2008).  The 
MIC  plan  “captures  the  organization’s  approach  to  implementing  an  effective  internal 
control  program  and  serves  as  the  first  resource  MIC  coordinators  use  to  understanding 
their  organization’s  program”  (SECNAV  M-5200.35,  2008,  p.  16).  It  is  within  this 
section  of  the  MIC  manual  that  the  GAO’s  standards  for  IC’s  in  the  federal  government 
(e.g.,  control  environment,  risk  assessment,  control  activities)  are  first  listed. 

The  MIC  manual  then  focuses  on  Statement  of  Assurance  (SOA)  concerns  by 
outlining  the  required  reporting  periods  as  well  as  discussions  surrounding  how 
materiality  can  be  determined.  Additionally,  the  section  titled  SOA  lists  16  different 
categories  in  which  internal  control  reporting  must  occur  within  the  DoD.  Procurement, 
supply  operations,  financial  statement  reporting,  resource  management,  and  information 
technology  are  a  few  of  the  categories  requiring  internal  control  reporting  (SECNAV  M- 
5200.35,  2008). 

Approximately  half  way  through  the  manual,  an  explanation  of  the  process  of 
submitting  annual  certification  statements  by  MAU’s  is  provided.  Titled  Statement  of 
Assurance  Tool,  this  portion  of  the  manual  illustrates  how  coordinators  of  MAU’s  are 
required  to  submit  certification  statements  electronically  through  the  SOA  online  tool. 
Access  to  the  SOA  online  tool  is  currently  restricted  to  the  DoN’s  18  MAU’s,  valid 
coordinators,  and  the  DoN  MIC  coordinator.  Therefore,  no  assessment  of  the  SOA  online 

tool  was  conducted.  According  to  the  manual  however,  using  the  SOA  online  tool  as  a 
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method  of  reporting  facilitates  access  to  historical  data,  enables  commands  to  self-report 
weaknesses  and  accomplishments,  and  fosters  communication  up  and  down  the  chain  of 
command  (SECNAV  M-5200.35,  2008).  The  SOA  online  tool  enablers  (access  to 
historical  data,  the  reporting  of  weaknesses  and  accomplishments,  and  increased 
communication)  are  required  tasks  for  MAU’s  and  their  subordinate  units  as  outlined  in 
SECNAVINST  5200.35E  (SECNAVINST  5200.35E,  2006,  pp.  5-9) 

Following  the  Statement  of  Assurance  Tool  section  of  the  manual,  there  are  more 
than  10  pages  dedicated  to  properly  preparing  and  submitting  a  MIC  certification 
statement.  According  to  the  MIC  manual,  five  items  are  included  in  the  online 
submission  of  the  MIC  certification  statement.  These  include: 

1 .  A  cover  memorandum 

2.  A  listing  of  accomplishments 

3.  A  listing  of  material  weaknesses,  reportable  conditions,  and  items  to  be 
revisited,  uncorrected  and  corrected 

4.  A  listing  of  uncorrected  material  weaknesses,  reportable  conditions,  and 
items  to  be  revisited 

5.  A  listing  of  corrected  material  weaknesses,  reportable  conditions,  and 
items  to  be  revisited  (SECNAV  M-5200.35,  2008) 

The  manual  further  breaks  down  each  item  listed  above,  providing  not  only  examples  but 
by  also  providing  details  on  the  recommended  formatting  and  submitting  processes. 
Concerning  the  cover  memorandum  for  example,  the  manual  identifies  whom  the 
memorandum  is  addressed  to,  who  authors  the  document,  and  lists  the  mandatory 
contents  that  are  required  to  be  contained  within  the  memorandum.  The  MIC  manual  also 
requires  the  cover  memorandum  to  contain  a  reasonable  assurance  statement  that  reflects 
whether  internal  controls  are  both  in  place  and  effective.  Finally,  the  cover  memorandum 
must  contain  a  statement,  which  details  the  results  as  either  qualified,  unqualified,  or  of 
no  assurance  (SECNAV  M-5200.35,  2008). 

Towards  the  latter  part  of  the  manual,  there  are  additional  SOA  submission 
instructions  as  well  as  an  explanation  and  instructions  for  participating  in  online  training 
through  the  Navy  Knowledge  Online  website.  The  manual  offers  two  types  of  online 
training.  These  training  courses  include  a  5-hour  course  (designed  for  coordinators  and 
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alternates)  on  the  DoN  MIC  Program  and  a  2-hour  DoN  MIC  training  program  that  is 
specifically  designed  for  managers.  At  the  end  of  the  manual,  a  listing  of  common 
acronyms  associated  with  the  MIC  manual  and  a  summary  of  major  changes  and 
technical  corrections  are  provided  (SECNAV  M-5200.35,  2008).  Additionally,  there  are 
flowcharts,  diagrams,  and  tables  throughout  the  risk  assessment  and  control  assessment 
sections  of  the  MIC  manual  providing  visual  aids  to  help  comprehend  the  material. 

As  discussed  in  Chapter  II,  the  FMFIA  act  of  1982  requires  all  DoD  agencies  to 
assess  their  IC  systems  and  controls  in  accordance  with  the  standards  and  requirements  as 
outlined  in  OMB  circular  123,  Appendix  A.  The  DoN’s  annual  Statement  of  Assurance 
(SOA),  which  is  prepared  and  submitted  by  ASN(FM&C),  must  also  attest  to  the  level  of 
compliance  by  all  DoN  organizations.  A  method  for  all  DoN  MAU’s  and  their  immediate 
subordinates  to  comply  with  the  FMFIA  overall  process  is  to  maintain  all  MIC  program 
documentation  as  presented  in  this  chapter  (SECNAV  M-5200.35,  2008,  p.  10). 
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V.  EVALUATION  OF  THE  MIC  MANUAL 


A.  ESTABLISHING  THE  REVIEW  PROCESS 

To  determine  if  the  MIC  Manual  is  effective  in  aligning  an  organization’s  current 
mission,  organizational  philosophy,  management  strategy,  goals,  metrics,  sustainment 
efforts  and  improvement  programs,  it  is  necessary  to  establish  that  the  manual  represents 
the  spirit  and  intent  of  SECNAV  5200. 35E  and  other  pertinent  statutory  and  regulatory 
references.  Additionally,  in  order  to  establish  the  ease  of  use,  comprehension,  and 
implementation  of  the  MIC  manual  by  agencies  within  the  DoN,  the  authors  evaluate 
how  the  manual  is  organized,  consider  its  content,  and  analyze  its  thoroughness  and 
effectiveness  in  incorporating  pertinent  statutory  and  regulatory  references.  Finally,  this 
review  process  discusses  the  existence  of  potential  challenges  in  applying  the  internal 
management  control  concepts  as  outlined  in  the  present  MIC  manual. 

As  previously  stated  in  Chapter  III,  GAO’s  Standards  for  Internal  Control  in  the 
Federal  Government  and  Whittington  and  Pany’s  discussion  on  components  were  central 
to  the  analysis  in  this  chapter.  The  purpose  of  that  discussion  was  to  validate  the 
government’s  use  of  the  five  standards  as  a  sound  model  for  evaluating  internal  control 
and  internal  control  systems.  Whittington  and  Pany’s  model  clearly  defined  monitoring  to 
include  the  monitoring  of  the  overarching  systems  or  programs  of  internal  controls 
whereas  the  GAO  model  falls  short  in  addressing  the  monitoring  of  internal  control 
systems  or  programs.  The  GAO  model  fell  short  by  definition  not  by  function. 

The  five  standards  contained  within  GAO’s  Standards  for  Internal  Control  in  the 

Federal  Government  are  based  on  the  COSO  framework.  Also,  the  five  components  of 

internal  control  as  outlined  by  Whittington  and  Pany  are  based  on  the  COSO  framework. 

COSO’s  integrated  framework  has  been  determined  to  be  a  sound  basis  for  establishing 

internal  control  systems  and  detennining  their  effectiveness  (Applegate  &  Wills,  1999). 

Since  the  GAO  model  is  based  on  the  COSO  framework  and  COSO’s  framework  was 

determined  by  Applegate  and  Wills  to  be  a  sound  basis  evaluating  internal  control 

systems,  the  GAO  model  should  be  a  sufficient  tool  for  use  in  evaluating  internal  controls 
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and  systems  of  internal  control.  The  authors,  therefore,  argue  that  the  GAO  model  is 
designed  to  evaluate  internal  controls  and  also  has  the  necessary  attributes  to  evaluate  an 
internal  control  system.  By  analyzing  the  lineage  of  the  GAO’s  standards  for  internal 
control,  coupled  with  GAO  discussion  points,  which  describe  internal  control  as  “a  major 
part  of  managing  an  organization”  (GAO/ AIMD-00-2 1.3.1,  1999,  p.  1),  in  the  author’s 
view,  it  is  logical  and  prudent  to  evaluate  the  MIC  manual  using  GAO  standards  of 
internal  management  control.  Additionally,  the  FMFIA  tasked  GAO  with  developing  and 
issuing  standards  for  internal  control  within  the  federal  government  (OMB;  FMFIA, 
1982),  and  that  OMB  first  issued  Circular  A- 123  in  anticipation  of  FMFIA  becoming 
Law,  (GAO,  2005,  p.  3).  The  SECNAVINST  5200. 35E  was  then  written  for  the  purpose 
of  meeting  the  requirements  as  set  forth  by  OMB  Circular  A- 123  and  the  FMFIA. 

In  order  to  evaluate  the  MIC  manual  with  an  organized  and  systematic  approach, 
GAO’s  Internal  Control  and  Evaluation  Tool  was  used.  Discussed  in  Chapter  I,  the 
Evaluation  Tool  was  published  in  2001.  The  publication  provided  “a  systematic, 
organized,  and  structured  approach  to  assessing  the  internal  control  structure”  (GAO-0 1- 
1008G,  2001,  p.  1).  The  tool  was  written  after,  and  corresponds  with,  the  five  standards 
for  internal  control  published  by  GAO  in  1999.  The  GAO  tool  was  found  by  the  authors 
to  connect  all  pertinent  regulations  and  policies  because  it  considered  the  following 
legislation:  OMB  Circular,  A-123,  the  Federal  Managers’  Financial  Integrity  Act 
(FMFIA)  of  1982,  the  Government  Performance  and  Results  Act  (GPRA)  of  1993,  the 
Chief  Financial  Officers  Act  of  1990,  and  Federal  Financial  Management  Improvement 
Act  (FFMIA)  of  1996  (GAO-0 1-1008G,  2001). 

The  GAO  tool  is  the  primary  document  for  this  evaluation  because  it  aligns  with 
Standards  for  Internal  Control  in  the  Federal  Government;  which  mirrors  COSO  and  the 
components  as  outlined  within  the  Whittington  and  Pany  text.  Using  this  GAO  tool,  the 
MIC  manual  can  be  assessed  for  completeness,  thoroughness,  and  appropriateness  in 
addressing  each  of  the  five  standards.  The  GAO  tool  provides  a  fonnatted  structure  for 
evaluating  IC’s  based  on  the  five  standards  of  internal  control  by  providing  a  checklist  of 
“Major  Factors,”  “points,”  and  “subsidiary  points”  that  correspond  with  the  five 
standards.  Appendix  B  provides  a  detailed  list  of  all  major  factors,  points,  and  subsidiary 
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points  as  listed  within  the  GAO  tool.  This  structure  is  followed  by  the  authors  of  this 
report  throughout  the  remaining  analysis  of  the  MIC  manual  (GAO-0 1-1008G,  2001). 


B.  STANDARDS  OF  CONTROL 

The  initial  review  of  the  MIC  manual  revealed  that  it  was  not  developed  or 
directly  based  upon  the  five  standards  of  internal  control  or  GAO  report  (GAO/AIMD- 
00-21.3.1,  1999).  The  MIC  manual  does  not  identify  GAO’s  five  standards  for  internal 
control  until  page  17  of  the  44-page  document.  The  MIC  manual’s  discussion 
surrounding  the  five  standards  is  limited.  The  manual  lists  the  five  standards, 
recommending  the  standards  be  used  in  developing  a  MIC  plan,  and  provides  a  link  to  the 
GAO  website  in  order  to  obtain  additional  information.  Since  the  five  standards  of 
internal  control  have  been  stated  by  GAO  as  “the  minimum  level  of  quality  acceptable  for 
internal  control  in  government  and  provide  the  basis  against  which  internal  control  is  to 
be  evaluated”  (GAO/AIMD-OO-2 1.3.1,  1999,  p.  7),  the  authors  are  of  the  opinion  that  the 
MIC  manual  should  expand  upon  the  presentation  of  the  five  standards  of  internal 
control. 


1.  Control  Environment  Assessment 

a.  Integrity  and  Ethical  Values  (Major  Factor  #1) 

Using  the  GAO  tool  to  evaluate  the  first  standard  (i.e.,  the  control 
environment)  it  became  apparent  that  few  of  the  main  points  listed  under  the  first  major 
factor  (i.e.,  integrity  and  ethical  values)  were  adequately  contained  within  the  MIC 
manual.  For  example,  the  GAO  tool  suggests  assessing  whether  cooperation  among 
managers,  auditors,  and  evaluators  is  encouraged  in  an  ethical  manner.  Although  the  MIC 
manual  contained  terminology  that  urged  and  encouraged  managers  to  cooperate  with 
auditors,  the  discussion  was  not  ethics-based. 

In  using  the  same  GAO  tool,  the  MIC  manual  (as  a  whole)  falls  short  in 
containing  tenninology,  which  sets  a  positive  and  supportive  attitude  toward  IMC;  a 
major  factor  under  the  control  environment  standard  that  fosters  IMC  effectiveness. 
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Although  the  MIC  manual  states  that  it  “implements  the  policy  set  forth  in 
SECNAVINST  5200.35E”  (SECNAV  M-5200-35,  2008,  p.  2),  the  manual  does  not 
communicate  to  the  authors  the  importance  of  integrity  and  ethical  values  as  it  pertains  to 
IMC’s  and  the  control  environment.  Any  positive  ethical  tone  that  is  being  sought  within 
government  agencies  with  respect  to  IMC’s  is  not  evident  in  the  MIC  manual.  Two  other 
areas  under  the  control  environment,  which  the  MIC  manual  does  not  address,  are  1)  the 
absence  of  contact  information  for  submitting  questions,  suggestions,  or 
recommendations  to  the  overall  process,  and  2)  consideration  of  disciplinary  action 
controls  should  an  organization  or  individual  fail  to  implement  the  tasks  as  outlined  in  the 
manual.  Additionally,  the  potential  for  management  override  involving  internal  control 
reporting  as  designed  in  the  MIC  manual  could  be  a  material  weakness  within  the 
program  and  manual  itself.  The  whole  concept  of  identifying,  monitoring,  improving, 
correcting,  strengthening,  and  reporting  internal  control  deficiencies  within  the  MIC 
manual  is  largely  based  upon  the  self-reporting  of  control  deficiencies.  According  to  the 
MIC  manual,  “This  self-reporting  of  control  deficiencies  enables  commands  to 
demonstrate  effectiveness  of  their  control  environments  and  activities,  and  indicate  the 
findings  of  their  control  assessments,”  (SECNAV  M-5200-35,  2008,  p.  5).  Although  the 
concept  of  self-reporting  control  deficiencies  can  be  viewed  as  a  measure  of  effectiveness 
and  mode  of  identifying  findings,  the  potential  for  managers  to  intentionally  not-report 
identified  internal  control  weaknesses  that  surface  is  a  concern.  The  concept  of  self- 
reporting  is  not  an  inherent  risk  but  rather  a  substantial  control  risk  which  by  design, 
limits  the  effectiveness  of  the  control  environment  through  the  use  of  the  MIC  manual. 
The  one  method  which  strengthens  the  control  environment  standard  within  the  MIC 
manual  as  it  pertains  to  the  reporting  of  deficiencies  involves  a  quarterly  meeting  with  the 
Naval  Audit  Service  (NAVAUDSVC)  wherein  audit  reports  from  the  GAO,  DoD 
Inspector  General  (IG),  and  NAVAUDSVC  are  reviewed  (SECNAV  M-5200-35,  2008, 
p.  5).  In  these  cases,  where  audits  have  been  conducted,  the  potential  for  management 
override  in  reporting  all  noted  discrepancies  is  mitigated  to  a  large  degree. 
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b. 


Commitment  to  Competence  (Major  Factor  #2) 


Commitment  to  Competence  is  the  next  major  factor  within  the  GAO  tool 
that  can  be  used  for  measuring  the  control  environment.  In  assessing  the  MIC  manual,  all 
of  the  “points”  and  “subsidiary  points”  listed  in  the  GAO  tool  under  commitment  to 
competence  are  satisfied.  The  MIC  manual  adequately  identifies  and  defines  required 
positions  and  tasks.  The  manual  also  defines  the  responsibilities  of  key  personnel, 
presents  the  overall  structure  of  the  program,  and  clearly  states  the  training  requirements 
for  coordinators,  alternates,  and  others  alike.  Additionally,  the  MIC  manual  presents  the 
availability  of  computer-based  training  for  not  only  those  who  wish  to  receive  an 
overview  of  the  DoN  MIC  Program,  but  also  online  training  for  managers  within  the 
federal  government.  The  Managers’  Internal  Control  Training  portion  of  the  MIC  manual 
both  explains  the  content,  objectives,  and  applicability  of  the  computer-based  training  as 
well  as  lists  step-by-step  instructions  and  print  screen-shots  in  order  to  ensure  readers  can 
access  the  online  training.  Unlike  the  DoN  Managers’  Internal  Control  Program  website 
('http://www.fmo.navy.mil/mic/home  index.htm)  however,  the  MIC  manual  does  not  list 
the  GAO  tool  as  an  enabler  for  managers  to  assess  IC’s.  In  this  area,  the  manual  itself 
provides  less  knowledge  than  the  MIC  Program  website  to  lower  management  who  might 
otherwise  need  this  material  to  strengthen  their  skills  and  abilities  in  identifying  weak 
IC’s. 


c.  Management  Philosophy  and  Operating  Style  (Major  Factor  #3) 

Management’s  Philosophy  and  Operating  Style  is  the  next  major  factor 
within  the  GAO  tool  that  can  be  used  for  measuring  the  control  environment.  For  the 
evaluation  of  whether  the  MIC  manual  projected  a  management  philosophy  and  operating 
style  that  was  consistent  with  the  GAO  tool  and  one  which  adequately  developed 
effective  internal  controls,  there  were  mixed  results.  The  submittal  of  certification 
statements  through  the  online  Statement  of  Assurance  Tool  was  a  positive  operating  style 
because  it  safeguards  information  by  use  of  the  online  submission  tool.  The  manual  also 
supported  a  positive  operating  style  in  that  it  promoted  the  use  of  the  SOA  tool  “as  a 
means  of  communication,  allowing  units  /  users  to  communicate  up  and  down  their 
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respective  chains  of  command”  (SECNAV  M-5200-35,  2008,  p.  25).  Finally,  the  MIC 
manual  promotes  using  performance-based  metrics  and  other  assessments  to  monitor 
IC’s,  something  that  the  GAO  tool  identifies  as  a  key  element  to  possess  within  an 
organization’s  operating  style  (GAO-0 1-1008G,  2001,  p.  13). 

However,  in  using  GAO’s  tool  to  assess  the  manual,  one  might  view  the 
MIC  manual  as  being  deficient  in  communicating  an  overall  vision  or  management 
philosophy.  The  manual  simply  does  not  list  a  management  vision  or  philosophy  in  the 
body  of  the  manual.  Another  subsidiary  point  under  management’s  philosophy  and 
operating  style  within  the  GAO  tool  is  to  consider  whether  personnel  submit 
inappropriate  or  inaccurate  reports  in  order  to  meet  targets,  (GAO-0 1-1008G,  2001,  p. 
15).  As  discussed  in  the  first  major  factor,  the  control  environment  of  the  MIC  manual  is 
weakened  under  the  management  philosophy  and  operating  style  because  there  is  no 
method  of  measuring  deficiencies  that  have  gone  unreported  under  the  self-reporting 
method. 


d.  Organizational  Structure  (Major  Factor  #4) 

Organizational  Structure  is  the  next  major  factor  within  the  GAO  tool  that 
can  be  used  for  measuring  the  control  environment.  The  MIC  manual  exhibited  strengths 
in  possessing  a  sound  organizational  structure,  which  was  consistent  with  the  content  of 
the  GAO  tool.  The  MIC  manual  clearly  outlines  the  DoN  SOA  flow  of  information  up 
and  down  the  chain  of  command.  Figures  depicting  the  various  levels  of  the 
organizational  structure  are  contained  within  the  MIC  manual  and  reflect  the  top-down, 
bottom-up  flow  process.  These  figures  are  useful  for  visualizing  the  organizational 
structure  and  can  be  used  as  templates  for  learning  the  structure.  The  GAO  tool  also 
recommends  measuring  the  soundness  of  organizational  structure  by  assessing  the  level 
of  focus  on  key  areas  of  authority  and  responsibility.  Again,  the  MIC  manual  identifies 
those  who  possess  authority  and  outlines  the  responsibilities  of  the  ASN(FM&C),  NAS, 
Major  Assessable  Units  (MAU’s),  the  Senior  Management  Counsel,  the  Director,  Office 
of  Financial  Operations  (FMO),  the  Senior  Assessment  Team,  Assessable  Units  (AU’s), 
coordinators,  alternates,  and  auditing  agencies  (SECNAV  M-5200-35,  2008,  p.  5-25). 
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Lastly,  the  MIC  manual  has  established  clear  reporting  relationships  as  outlined  within 
the  GAO  tool.  All  remaining  elements  under  the  GAO  tool’s  organizational  structure 
were  not  applicable  in  the  assessment  of  the  MIC  manual.  For  example,  detennining 
whether  employees  work  excessive  overtime  or  whether  an  employee  fills  more  than  one 
role  was  simply  found  to  be  inapplicable.  Note  that  evaluators  are  encouraged  to  tailor 
the  GAO  tool  to  meet  the  needs  of  an  IC  assessment  (GAO-0 1-1008G,  2001,  p.  15). 

e.  Assignment  of  Authority  and  Responsibility  (Major  Factor  #5) 

The  Assignment  of  Authority  and  Responsibility  is  the  next  major  factor 
within  the  GAO  tool  that  can  be  used  for  measuring  the  control  environment.  The  MIC 
manual  supports  a  high  level  of  authority  and  responsibility  at  the  lower  levels  of 
management.  The  self-reporting  of  deficiencies  by  managers  up  the  chain  of  command 
greatly  empowers  managers  to  correct  problems  or  implement  improvements  as  described 
in  the  GAO  tool  (GAO-0 1-1008G,  2001,  p.  17).  The  potentially  adverse  effect  resulting 
from  such  empowerment  and  authority  in  the  self-reporting  method  has  already  been 
discussed. 

One  element  of  the  GAO  tool  seeks  to  measure  whether  “the  agency 
appropriately  assigns  authority  and  delegates  responsibility  to  the  proper  personnel  to 
deal  with  organizational  goals  and  objectives”  (GAO-0 1-1008G,  2001,  p.  17).  When 
applied  to  the  assessment  of  the  MIC  manual,  the  overarching  goal  and  objective  of  the 
manual  itself  does  not  appear  to  be  clearly  stated.  Rather,  the  goal  “to  maintain  internal 
control  assessment  documentation  that  gives  managers  the  information  they  need  to 
establish  and  improve  internal  controls  within  their  command”  (SECNAV  M-5200-35, 
2008,  p.  15)  is  one  of  the  two  stated  goals  within  the  MIC  manual  and  refers  to  the 
importance  of  controlling  assessment  documentation.  The  second  stated  goal  pertains  to 
risk  assessment  and  is  discussed  in  2. a.  of  the  following  section  of  this  paper.  It  remains 
unclear  as  to  whether  the  objective  of  the  MIC  manual  is  to  comply  with  regulatory  and 
statutory  material,  strengthen  internal  controls  or  systems,  or  to  be  used  as  an 
informational  tool  on  how  to  properly  complete  a  certification  statement  and  submit  the 
data  via  the  SOA  online  tool. 
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f.  Human  Resource  Policies  and  Practices  (Major  Factor  #6) 


Human  Resource  Policies  and  Practices  are  the  next  major  factor  listed 
within  the  GAO  tool  as  measures  for  the  control  environment.  Under  this  section,  the 
GAO  tool  recommends  considering  whether  “Employees  receive  guidance,  review,  and 
on-the-job  training  from  supervisors  to  help  ensure  proper  work  flow  and  processing  of 
transactions  and  events,  reduce  misunderstandings,  and  discourage  wrongful  acts”  (GAO- 
01-1008G,  2001,  p.  19).  Guidance  on  proper  workflow  and  processing  of  the  SOA  is 
provided  within  the  text  of  the  manual.  However,  the  manual  does  not  require  on-the-job 
training  from  supervisors. 

g.  Oversight  Groups  (Major  Factor  #7) 

Oversight  Groups  are  the  last  major  factor  listed  within  the  GAO  tool  as 
measures  for  assessing  the  control  environment.  The  GAO  tool  suggests  that  a  control 
environment  is  sound  if  an  independent  auditor  such  as  an  Inspector  General  (IG)  audits 
and  reviews  agency  activities.  Additionally,  the  GAO  tool  indicates  that  close 
coordination  among  audit  committee  members  and  executives  of  the  organization 
facilitate  a  sound  control  environment  (GAO-0 1-1 008G,  2001,  p.  20).  The  MIC  manual 
states  that  audits  are  conducted  by  independent  agencies  such  as  the  IG  and  that  close 
coordination  should  exist  among  those  involved  in  the  MIC  manual  process. 

2.  Risk  Assessment 

To  assess  risk,  the  second  internal  control  standard,  the  GAO  tool  lists  five  major 
factors  for  consideration.  These  factors  are:  establishment  of  entity-wide  objectives, 
establishment  of  activity-level  objectives,  risk  identification,  risk  analysis,  and  managing 
risk  during  change.  Although  the  GAO  tool  identifies  these  five  factors  as  a  good  starting 
point  to  assessing  risk,  the  GAO  tool  contains  tenninology,  which  stresses  that  the  factors 
are  not  all-inclusive  and  may  not  apply  under  certain  circumstances.  The  GAO  tool  also 
emphasizes  that  establishing  clear  and  consistent  goals  and  objectives  at  both  the  entity 
and  agency  levels  are  a  precondition  to  initiating  any  risk  assessment  (GAO-0 1-1008G, 
2001,  p.  23). 
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a. 


Establishment  of  Entity-wide  Objectives  (Major  Factor  #1) 


In  applying  the  GAO  tool,  the  MIC  manual  does  not  list  entity-wide 
objectives.  The  MIC  manual  lists  a  stated  goal  on  page  11,  but  the  goal  pertains  to  the 
completion  of  a  risk  assessment.  With  regard  to  organizational  objectives  however,  the 
overarching  organizational  goals  and  objectives  that  have  been  established  by 
management  pertaining  to  risk  and  the  goal  of  the  internal  control  program/manual  have 
not  filtered  down  and  are  not  clearly  stated  within  the  manual.  As  discussed  in  Chapter  II, 
the  GPRA  of  1993  required  agencies  to  clarify  goals  and  objectives  in  order  to  improve 
the  efficiency  of  a  program. 

b.  Establishment  of  Activity-Level  Objectives  (Major  Factor  #2) 

In  applying  the  GAO  tool,  it  is  important  to  assess  whether  the  activity- 
level  objectives  complement  one  another,  include  measurement  criteria,  and  link  with  the 
organization’s  entity-wide  objective  and  strategic  plans  (GAO-0 1-1008G,  2001,  p.  24). 
This  can  be  assessed  by  comparing  mission-level  objectives  with  entity-wide  objectives 
and  ensuring  that  the  objectives  are  both  relevant  and  properly  linked  to  one  another. 
Because  the  entity-wide  objectives  are  not  clearly  stated  within  the  MIC  manual, 
evaluating  activity-level  objectives  as  they  relate  to  the  entity  cannot  be  accomplished. 

c.  Risk  Identification  (Major  Factor  #3) 

The  MIC  manual  provides  methods  for  identifying  internal  risk.  In 
comparing  the  MIC  manual  with  the  GAO  tool,  the  MIC  manual  contains  considerations 
that  are  the  same  as  those  which  are  outlined  in  the  GAO  tool.  Specifically,  the  manual 
identifies  the  three  types  of  risk  and  provides  an  explanation  of  each,  while  also  listing  a 
decision  diagram  to  distinguishing  between  inherent,  control,  and  combined  risk.  As 
discussed  in  the  GAO  tool,  the  manual  also  uses  both  qualitative  and  qualitative  methods 
for  identifying  risk.  The  MIC  manual  contains  a  sample  flowchart  for  documenting  key 
processes,  as  well  as  tables  for  measuring  inherent,  control,  and  combined  risk  as  being 
either  low,  moderate,  or  high  (SECNAV  M-5200-35,  2008,  pp.  10-14).  Although  the 
manual  also  explains  how  risks  are  to  be  identified,  ranked,  analyzed,  and  reported,  it 
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does  not  distinguish  risk  as  emerging  from  either  internal  or  external  factors.  Discussions 
involving  risk  are  focused  on  internal  factors  and  the  MIC  manual  does  not  provide 
mechanisms  for  managers  to  use  in  considering  risk  from  external  sources;  it  is 
something,  which  the  GAO  tool  lists  as  a  major  factor. 

d.  Risk  Analysis  (Major  Factor  #4) 

Risk  Analysis  is  the  next  major  factor  within  the  GAO  tool  that  can  be 
used  for  measuring  and  assessing  risk.  Consistent  with  the  GAO  tool,  the  MIC  manual 
exhibits  a  formal  process  for  analyzing  risk  and  assigning  levels  of  risk  as  being  high, 
moderate,  or  low  once  risk  has  been  identified.  As  part  of  the  risk  analysis  process,  the 
MIC  manual  contains  a  risk  assessment  table  wherein  an  organization  can  assign  a 
control  number  to  an  identified  risk,  categorize  the  risk  level  as  high,  moderate,  or  low, 
and  indicate  whether  inherent,  control,  or  combined  risk  exists.  Additionally,  the  risk 
assessment  table  contains  a  column  for  listing  the  internal  control  that  is  currently  in 
place  for  the  risk  identified  (SECNAV  M-5200-35,  2008,  pp.  10-14).  The  last  point  under 
the  major  factor  of  risk  analysis  contained  in  the  GAO  tool  asks  whether  “management 
has  developed  an  approach  for  risk  management  and  control  based  on  how  much  risk  can 
be  prudently  accepted”  (GAO-0 1-1008G,  2001,  p.  29).  The  MIC  manual  addresses  this 
concern  through  the  use  of  a  control  assessment  table  which  is  designed  to  validate  the 
assumed  level  of  control  risk  by  an  organization  (SECNAV  M-5200-35,  2008,  p.  15). 

e.  Managing  Risk  during  Change  (Major  Factor  #5) 

Managing  Risk  during  Change  is  the  final  major  factor  within  the  GAO 
tool  that  can  be  used  for  risk  assessment.  The  MIC  manual  addresses  this  factor  through 
the  regular  requirements  of  preparing  and  submitting  control  assessment  documentation. 
The  MIC  manual  states  that  “once  internal  controls  are  in  place;  management  shall 
actively  monitor  those  controls  to  ensure  they  are  functioning  correctively  and  effectively 
mitigating  the  associated  risk”  (SECNAV  M-5200-35,  2008,  p.  14).  The  MIC  manual 
recommends  that  major  units  submit  at  least  one  internal  control  assessment  annually  to 
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monitor  potential  changes.  Additionally,  since  there  is  a  requirement  to  update  the  MIC 
manual  on  an  annual  basis,  any  statutory  or  regulatory  changes  that  might  occur 
throughout  the  year  would  be  addressed  within  the  updated  manual. 

3.  Control  Activities 

Only  those  major  factors,  which  were  found  to  be  pertinent  or  applicable  in 
assessing  the  MIC  manual,  are  discussed  below. 

a.  General  Application  (Major  Factor  # 1 ) 

When  comparing  the  MIC  manual  to  items  listed  under  this  category,  the 
GAO  tool  considers  whether  “appropriate  policies,  procedures,  techniques,  and 
mechanisms  exist”  (GAO-0 1-1008G,  2001,  p.  34).  Although  the  MIC  manual  does 
reference  DoDI  5010.40,  SECNAVINST  5200.35E,  SECNAVINST  5430.7N,  GAO’s 
standards  for  internal  control,  and  OMB  Circular  A- 123  as  related  internal  control 
sources,  the  manual  does  not  mention  the  relevance,  interrelation,  and  value  of  the 
GPRA,  DoD  Directive  5010.38,  and  the  GAO’s  tool.  Although  not  specifically  identified 
as  control  activities,  the  MIC  manual  does  identify  several  activities  surrounding  the 
submission  of  certification  statements  and  SOA’s  that  are  viewed  as  a  form  of  control. 

b.  Common  Categories  of  Control  Activities  (Major  Factor  #2) 

In  this  category,  when  comparing  the  MIC  manual  to  items  listed  in  the 
GAO  tool,  the  manual  tracks  an  organization’s  (submitted)  initiatives,  achievements,  and 
deficiencies  while  also  ensuring  corrective  action  is  taken  where  necessary.  This  is 
accomplished  through  the  MIC  manuals  SOA  reporting  process.  The  manual  also 
contains  control  activities  to  ensure  that  those  who  are  involved  in  the  SOA  submission 
process  receive  proper  online  training.  With  regard  to  other  points  under  this  section 
contained  in  the  GAO  tool,  the  MIC  manual  does  not  have  a  section  dedicated  to  control 
activities.  The  manual  neither  defines  nor  explains  control  activities  to  the  level  that  one 
could  determine  the  adequacy  of  internal  controls  and  to  what  level  they  should  be 
controlled.  Rather,  the  MIC  manual  provides  a  few  examples  of  various  control  activities 
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within  a  flowchart,  stating  that  “the  flowchart  will  identify  key  processes  and  their  related 
control  activities  such  as  control  over  information  processing,  physical  control  over 
vulnerable  assets,  segregation  of  duties,  and  accurate  and  timely  recording  of  transactions 
and  events,  (SECNAV  M-5200-35,  2008,  p.  12).  Another  section  within  the  MIC  manual 
(developing  a  MIC  Plan)  states  that  the  MIC  plan  will  address  all  five  elements  of  the 
GAO  standards.  In  this  example  of  a  MIC  plan,  there  is  a  section  on  control  activities 
which  instructs  the  reader  to  “Describe  the  methodology  of  how  control  activities  are 
identified  and  developed,  the  types  of  policies  and  documented  procedures  that  are  in 
place  to  explain  and  outline  how  to  ensure  the  effectiveness  of  controls”  (SECNAV  M- 
5200.35,  2008,  p.  19).  Neither  section,  however,  provides  the  information  necessary  for 
the  individual  to  be  able  to  understand  the  importance  of  control  activities.  The  reader  is 
however,  provided  a  list  of  GAO’s  standards  of  internal  control  and  directed  to  the  GAO 
online  website  for  additional  infonnation. 

c.  Control  Activities  Specific  for  Information  Systems  -  General 
Control  and  Application  Control  (Major  Factors  #3  through  10) 

Information  technology  (IT)  is  included  as  an  internal  control  reporting 
category  within  the  MIC  manual.  The  manual  describes  this  area  as  covering  “the  design, 
development,  testing,  deployment,  use,  and  security  of  automated  information  systems 
using  a  combination  of  computer  hardware,  software,  or  data  that  perfonns  functions 
such  as  collecting,  processing,  storing,  transmitting,  or  displaying  information  and  other 
technologies  for  processing  management  information”  (SECNAV  M-5200.35,  2008,  p. 
24).  The  MIC  manual  does  not  state  that  control  activities  should  be  assessed  in  each  one 
of  these  areas  within  IT.  Rather,  it  is  implied  that  each  area  within  IT  be  assessed  under 
the  control  activity.  The  MIC  manual  does  not  provide  the  level  of  detail  which  the  GAO 
tool  does  in  assessing  access  control,  system  software  control,  segregation  of  duties, 
service  continuity,  authorization  control,  completeness  control,  accuracy  control,  or 
control  over  integrity  of  processing  and  data  files  as  it  pertains  to  infonnation  technology 
(GAO-0 1-1008G,  2001). 
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4. 


Information  and  Communications 


a.  Information  (Major  Factor  #1) 

Using  the  GAO  tool  to  evaluate  the  fourth  standard  (Information  and 
Communication)  the  MIC  manual  addresses  all  but  one  sub-category  within  the 
information  factor.  The  MIC  manual  establishes  mechanisms  (SOA)  online  tool,  tables, 
charts,  and  figures  to  capture  and  record  operational  information  pertaining  to  internal 
controls.  The  manual  also  provides  the  reader  with  various  sources  of  training  as  well  as 
other  items  of  interest  and  relevance  regarding  the  submission  of  certification  statements. 
The  MIC  manual  does  not  however,  provide  an  in-depth  description  or  explanation  of 
GAO’s  five  standards  of  internal  control  or  provide  the  reader  with  the  tools  necessary 
for  assessing  each  of  the  five  standards.  A  consideration  listed  under  the  information 
factor  within  the  GAO  tool  involves  identifying  whether  “Pertinent  information  is 
identified,  captured,  and  distributed  to  the  right  people  in  sufficient  detail,  in  the  right 
form,  and  at  the  appropriate  time  to  enable  them  to  carry  out  their  duties  and 
responsibilities  efficiently  and  effectively”  (GAO-0 1-1008G,  p.  51).  In  the  author’s  view, 
an  in-depth  description  and  explanation  of  the  GAO’s  five  standards  of  internal  control  is 
pertinent  information  which  the  MIC  manual  does  not  provide. 

b.  Communications  (Major  Factor  #2) 

Communication  is  the  next  major  factor  within  the  GAO  tool  that  can  be 
used  for  measuring  the  information  and  communications  standard.  In  assessing  the  MIC 
manual,  most  of  the  points  and  subsidiary  points  listed  in  the  GAO  tool  under 
communication  are  satisfied.  The  MIC  manual  clearly  communicates  the  SOA 
submission  requirements  and  the  duties  of  key  personnel.  Additionally,  the  manual  lays 
the  foundation  for  communication  among  internal  organizations  throughout  the  reporting 
process  as  well  as  external  agencies  such  as  auditors  from  the  GAO  or  IG. 
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c. 


Forms  and  Means  of  Communication  (Major  Factor  #3) 


Forms  and  Means  of  Communications  is  the  last  major  factor  within  the 
GAO  tool  that  can  be  used  for  assessing  the  information  and  communication  standard. 
The  MIC  manual,  a  form  of  communication  in  itself,  also  provides  other  forms  of 
communication  such  as  phone  numbers  and  email  addresses  to  obtain  additional 
information  on  internal  control.  The  manual  also  provides  the  DoN’s  MIC  webpage 
('http://www.fmo.navv.mil/mic/homc  index.htm)  as  a  source  for  communicating  any 
changes  or  updates  pertaining  to  the  MIC  program  and  manual. 

5.  Monitoring  Assessment 

a.  Ongoing  Monitoring  (Major  Factor  # 1 ) 

Using  the  GAO  tool  to  evaluate  the  fifth  standard,  several  forms  of 
monitoring  are  observed  throughout  the  MIC  manual.  The  manual  states  that  “Monitoring 
of  internal  controls  shall  include  policies  and  procedures  for  ensuring  that  the  findings  of 
audits  and  other  reviews  are  promptly  resolved”  (SECNAV  M-5200.35,  2008,  p.  16). 
External  to  the  MIC  program  and  manual  are  audits  by  the  GAO  and  IG,  which  act  as  an 
ongoing  monitoring  tool.  Additionally,  deficiencies  that  are  identified  as  a  material 
weakness,  a  reportable  condition,  or  an  item  to  be  revisited  as  outlined  in  the  MIC 
manual  are  all  conditions,  which  enable  ongoing  monitoring  of  internal  controls 
throughout  the  reporting  process.  The  Managers’  Internal  Control  Plan,  a  plan  required 
by  the  MIC  manual,  is  also  a  mechanism  for  monitoring  corrective  actions,  training 
efforts,  changes  in  the  organizational  structure,  and  changes  of  key  positions.  The  SO  A 
submission  process  also  acts  as  a  form  of  ongoing  monitoring  since  actions  are  taken  to 
ensure  the  deficiency  is  resolved  in  a  timely  manner. 

b.  Separate  Evaluations  (Major  Factor  #2) 

Discussions  within  the  GAO  tool  suggest  considering  the  frequency  in 
which  separate  evaluations  of  internal  control  occur  and  assessing  whether  the 
methodology  for  evaluating  the  organization’s  internal  control  is  logical  and  appropriate 
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(GAO-0 1-1008G,  p.  63).  The  authors  have  discussed  that  external  evaluations  and  audits 
occur  through  the  GAO  and  IG,  although  the  frequency  and  adequacy  in  which  these 
evaluations  occur  is  unknown.  Concerning  the  MIC  manual’s  methodology  in  evaluating 
the  organization’s  internal  control,  the  negative  impacts  of  self-reporting  have  already 
been  raised.  It  is  for  this  reason  that  one  could  argue  the  methodology  for  evaluating 
internal  control  is  not  appropriate.  Additionally,  neither  the  GAO  tool  nor  MIC  manual 
incorporates  any  monitoring  of  the  internal  control  system,  only  internal  controls  within 
the  system. 


c.  Audit  Resolution  ( Major  Factor  #3) 

Where  applicable,  the  MIC  manual  supports,  encourages,  and  requires 
prompt  action  and  resolution  to  the  discovery  of  an  internal  control  deficiency.  The  MIC 
manual  has  a  corrective  action  plan  and  requires  a  narrative  be  included  in  the  SOA 
submission  pertaining  to  the  resolution  of  any  negative  audit  finding.  Training  that  is 
provided  under  the  MIC  program  and  manual  also  contain  discussions  surrounding  the 
importance  of  being  responsive  to  any  noted  discrepancies  and  developing  solutions  to  an 
identified  internal  control  issue.  Finally,  senior  leadership  is  supposed  to  be  involved  in 
reviewing  SOA  submissions  for  completeness,  ensuring  that  appropriate  actions  have 
been  taken  in  a  timely  manner  (in  response  to  an  audit  finding)  and  to  provide  oversight 
in  ensuring  all  parties  are  satisfied  with  corrections  that  have  been  made. 

C.  THE  REVIEW  PROCESS 

The  GAO  tool  was  used  to  evaluate  the  MIC  Manual  to  detennine  if  the  manual 
aligns  with  the  spirit  and  intent  of  the  SECNAV  5200. 35E  and  other  pertinent  statutory 
and  regulatory  references.  The  findings  of  Chapter  V  are  used  as  the  basis  for  Chapter  VI 
of  this  evaluation.  The  following  findings  will  be  used  to  determine  the  ease  of 
comprehension  and  implementation  MIC  manual:  1)  its  effectiveness  in  aligning  an 
organizations’  current  mission,  organizational  philosophy,  management  strategy,  goals, 
metrics,  sustainment  efforts,  and  improvement  programs,  and  2)  the  potential  challenges 
in  applying  the  internal  management  control  concepts  based  on  the  MIC  manual. 


55 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


56 


VI.  CONCLUSION  AND  RECOMMENDATION 


A.  IMC  SYSTEM  FUNCTION 

The  situations  that  require  IMC’s  and  IMC  systems  are  many,  just  as  there  are 
multiple  ways  to  contemplate  how,  or  determine  why  a  specific  function  or  task  should 
be  controlled.  Identifying  a  specific  task  is  not  necessarily  complex,  but  effectively 
incorporating  and  implementing  the  task  as  part  of  a  IMC  system  while  also  considering 
the  organization’s  philosophy  is  challenging.  The  difficulty  lies  in  the  intangible  aspects 
of  applying  an  IMC  and  identifying  and  using  a  model  that  effectively  articulates  the 
process.  Properly  defining  IMC’s  has  become  increasingly  difficult  given  today’s 
growing  environmental  diversity,  the  complexity  of  organizations,  and  the  increased 
needs  of  management.  Due  in  part  to  the  increase  in  organizational  and  environmental 
complexity,  IMC’s  become  more  complex.  As  a  result,  comprehension  of  these  detailed 
control  systems  has  become  more  challenging  when  one  has  to  consider  aligning  IMC’s 
with  management’s  strategy,  goals,  organizational  philosophy,  sustainment  programs, 
laws  and  regulations. 

As  discussed  in  Chapter  III,  a  sound  IMC  system  effectively  translates  a  vision, 
communicates  a  strategy  throughout  the  organization,  and  links  the  strategy  with 
objectives  throughout  the  organization.  An  effective  IMC  system  establishes  approaches 
for  identifying  a  specific  task  or  function  that  requires  an  IMC  as  well  as  defines  how  to 
effectively  institute  IMC’s  as  part  of  the  larger  system.  Using  an  IMC  system  that  does 
not  possess  a  shared  organizational  philosophy  among  applicable  stakeholders  can  result 
in  ineffectiveness  or  failure  due  to  improper  alignment  and  linkage  of  a  shared  vision, 
strategy,  or  even  corporate  buy-in.  As  previously  stated,  it  is  imperative  for  organizations 
to  achieve  successful  alignment  among  existing  IMC’s  (in  order  to  facilitate  a  successful 
program)  as  well  as  gain  corporate  buy-in  (Green  &  Ryan,  2005,  p.  45).  To  minimize 
these  negative  effects,  an  effective  implementation  strategy  should  include  an  IMC 
system  that  offers  effective  translation  yet  simplicity. 
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Successful  IMC  systems  are  designed  to  give  the  necessary  tools  to  the  entire 
organization  and  increase  corporate  understanding.  The  ability  of  an  organization  to 
clearly  define  the  environment  and  goals  of  an  IMC  system  is  not  only  required  by  law, 
but  should  also  be  viewed  as  part  of  the  necessary  tools  which  are  needed  to  increase  the 
corporate  understanding  of  managers  and  other  stakeholders.  To  do  otherwise  makes 
improving  a  program  more  difficult  because  key  personnel  find  it  challenging  to 
understand  the  overarching  purpose  and  vision  of  the  program.  As  previously  discussed, 
GPRA  set  in  motion  the  requirement  to  clearly  state  the  goals  of  a  program  and  measure 
its  performance.  This  law  was  enacted  based  in  part  upon  congressional  findings  that 
“federal  managers  were  seriously  disadvantaged  in  their  efforts  to  improve  program 
efficiency  and  effectiveness,  because  of  insufficient  articulation  of  program  goals  and 
inadequate  information  on  program  performance”  (GPRA  of  1993,  p.  1).  The  unfavorable 
congressional  findings  listed  above  can  be  directly  attributed  to  an  instruction,  manual,  or 
directive  that  contains  unclear  goals,  missions,  and  objectives.  In  addition  to  the  GPRA, 
the  FMFIA  was  discussed  as  legislation  which  required  the  control  of  the  defined 
environment  and  goals.  GAO’s  five  standards  of  internal  control  were  developed  in 
response  to  the  FMFIA  and  have  been  presented  in  this  report  as  being  designed  to  link 
organizational  philosophies  with  pertinent  statutory  mandates  and  regulatory  concepts. 
Ultimately,  the  successful  articulation  of  organizational  philosophies  and  goals  within  a 
program’s  design,  instructions,  directives,  orders,  and  manual  creates  greater  corporate 
understanding  for  the  entire  organization. 

Reviews  of  IMC  systems  or  programs  are  equally  important  and  necessary  as 
conducting  a  review  or  audit  of  internal  controls  within  the  system.  Throughout  the  data 
collection  and  review  process  of  this  report,  the  authors  noted  various  audits  and  reports 
that  were  conducted;  sighting  weaknesses  of  current  internal  controls  of  the  DoD  and 
DoN.  The  majority  of  these  audits/reports  reviewed  focused  on  shortcomings  within 
various  operational  controls  of  an  IMC  system  such  as  in  inventory  management, 
transportation,  travel  cards,  credit  cards,  improper  payment  disbursing,  and  financial 
management  activities.  Yet,  not  one  assessment  of  an  overarching  IC  system  or  program 
was  identified.  There  appears  to  be  a  willingness  to  blame  deficiencies  on  poor  internal 
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management  controls  at  the  operational  level.  Although  placing  the  blame  on  these 
deficiencies  is  well-founded  and  largely  substantiated,  the  root  cause  in  some  of  these 
deficiencies  may  lie  on  the  poor  design  of  the  overall  program  or  system. 

The  absence  of  focus  on  assessing  IMC  systems  is  arguably  one  of  the 
shortcomings  of  the  GAO’s  five  standards  of  internal  control,  which  does  not  suggest  or 
require  the  use  of  the  five  standards  as  a  monitoring  or  evaluation  tool  for  both  internal 
controls  and  internal  control  programs  or  systems.  Therefore,  any  organization 
implementing  GAO’s  five  standards  of  internal  control  (e.g.,  control  environment,  risk 
assessment,  control  activities,  infonnation  and  communication  and  monitoring)  into  its 
IMC  system  could  potentially  fail  to  consider  the  ongoing  monitoring  of  the  system  or 
program  as  imperative.  The  authors  of  this  report  are  of  the  opinion  that  the  GAO  model 
of  the  five  standards  of  internal  control  is  an  effective  and  efficient  tool  for  both  the 
monitoring  of  IC’s  and  IC  systems  or  programs.  As  the  GAO  states,  “Internal  control  is 
management  control  that  is  built  into  the  entity  as  a  part  of  the  infrastructure  to  help 
managers  run  the  entity,”  (GAO  Report  00-21.3.1,  1999,  p.  6).  One  could  assert  that 
internal  control  systems  are  likewise  management  controls  that  are  built  into  an 
organization’s  design  and  help  managers  run  the  organization. 

The  GAO  Internal  Control  Management  and  Evaluation  Tool  (GAO  tool)  was 
used  to  evaluate  the  MIC  manual  in  order  to  answer  the  project  objectives  as  discussed  in 
Chapter  I.  To  determine  if  the  MIC  manual  aligns  with  the  spirit  and  intent  of  the 
SECNAVINST  5200.3 5E,  the  functionality  of  the  MIC  manual  is  discussed  in  section  B 
of  this  chapter.  To  identify  the  ease  of  use  or  potential  challenges  in  applying  the 
concepts  as  outlined  in  the  manual,  the  alignment  of  other  statutory  and  regulatory 
references  are  discussed  in  section  C  of  this  chapter.  Section  D,  the  overall  conclusion, 
discusses  the  manual’s  effectiveness  in  aligning  an  organizations’  current  mission, 
philosophy,  management  strategy,  goals,  metrics,  sustainment  efforts,  and  improvement 
programs. 
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B.  FUNCTIONALITY  OF  THE  MIC  MANUAL 

The  MIC  manual  complies  with  the  responsibilities  and  requirements  as  outlined 
in  SECNAVINST  5200. 35E.  Specifically,  the  manual  provides  an  internal  control 
reporting  structure,  due  dates,  examples,  instructions  on  reporting  requirements,  and 
instructions  on  accessing  internal  control  training.  The  manual  also  complies  with  the 
SECNAVINST  5200. 35E  by  listing  assessable  units,  the  number  of  scheduled  and 
completed  assessments,  and  progress  for  accomplishing  the  annual  program 
(SECNAVINST  5200.35E,  2006,  p.  2). 

The  MIC  manual  also  describes  the  submission  process  of  certification  statements 
through  the  statement  of  assurance  (SOA)  online  tool  and  defines  the  responsibilities  of 
those  involved  in  the  process.  The  MIC  manual  provides  guidance  on  properly  assessing 
and  documenting  feeder  components  (such  as  accomplishments,  material  weaknesses, 
reportable  conditions,  and  items  to  be  revisited)  of  the  SOA,  as  well  as  documenting  and 
reporting  out  the  results  of  any  external  audits  that  are  conducted  by  the  GAO,  DoD  IG  or 
other  agency.  However,  one  could  argue  that  the  manual  falls  short  in  transcending  or 
translating  the  organizational  philosophy  of  SECNAVINST  5200. 35E.  In  design,  the 
MIC  manual  lacks  depth  in  referencing  and  explaining  the  importance  of  IC’s,  the  GAO 
standards,  the  GPRA  requirements,  and  other  pertinent  programs  and  initiatives.  The 
MIC  manual’s  focus  on  providing  instructional  guidance;  adhering  directly  to  the 
requirements  of  SECNAVINST  5200. 35E  alone,  requires  the  reader  to  be  fully  educated 
on  internal  controls  and  possess  knowledge  of  the  spirit  and  intent  of  SECNAVINST 
5200. 35E,  the  GAO’s  five  standards,  the  FMFIA,  OMB  Circular  A- 123,  the  GPRA,  and 
other  documentation  which  lay  the  foundation  and  requirements  for  IC’s  and  IMC  system 
functions.  Additionally,  one  could  argue  that  the  overarching  organizational  goals  and 
objectives  that  have  been  established  by  superseding  documents  have  not  filtered  down 
and  are  not  clearly  stated  within  the  manual. 

Lastly,  the  potential  for  management  override  in  the  self-reporting  process  by  the 
non-reporting  of  identified  control  weaknesses  is  an  impairment  to  the  functionality  of 
the  MIC  manual.  This  report  does,  however,  recognize  that  the  self-reporting  process  is 


60 


an  accepted  control  risk  that  cannot  be  overcome  without  implementing  a  mandated  and 
external  audit  process  of  every  entity  throughout  the  organization.  This  alternative  is 
neither  cost  effective  nor  realistic  given  the  size  of  DoD  organizations.  Therefore,  the 
likely  functionality  of  the  MIC  manual  (and  program)  is  recognized  as  limited  under  the 
control  environment  because  reported  infonnation  is  potentially  unreliable  due  to  the 
absence  of  material  data  that  was  not  self-reported. 

C.  RECOMMENDATIONS  FOR  MIC  MANUAL 

The  MIC  manual  is  a  mechanism  for  communicating  the  DoN’s  MIC  Program. 
Arguably,  manuals  are  only  designed  to  effectively  translate  how  a  certain  process  should 
be  completed.  However,  the  forward  states  that  the  MIC  manual  “specifies  procedures  for 
implementing  an  effective  IC  program  throughout  the  DoN”  (SECNAV  M-5200.35, 
2008).  Therefore,  the  procedures  should  include  and  link  the  overarching  organizational 
philosophy  and  goals  (of  the  MIC  Program)  while  also  translating  the  vision  and  strategy 
up  and  down  the  organizational  hierarchy.  Additionally,  including  the  control 
philosophies,  objectives,  vision,  and  strategy  of  the  MIC  Program  within  the  MIC  manual 
also  facilitates  understanding  and  fosters  corporate  buy-in  among  managers. 

The  MIC  manual  should  begin  by  clearly  stating  the  mission,  purpose,  goals,  and 
objectives  of  the  manual  while  transcending  the  managerial  philosophy,  intent,  and  vision 
of  SECNAVINST  5200. 35E  and  other  statutory  and  regulatory  documents.  Doing  so  will 
provide  the  reader  with  a  background  pertaining  to  IC’s  and  provide  an  explanation  into 
the  importance  of  IC’s  and  IC  programs/systems.  Stating  the  purpose,  goals,  and 
objectives  clearly  will  provide  the  reader  with  a  baseline  and  understanding  of  why  and 
how  the  MIC  manual  facilitates  the  strengthening  of  internal  controls  while  also 
transcending  the  importance  of  internal  controls  and  processes.  By  also  setting  a  positive 
and  supportive  attitude  towards  IMC’s,  buy-in  from  senior  leadership,  managers,  and 
other  stakeholders  will  be  encouraged. 

The  MIC  manual  could  be  improved  by  using  the  structure  of  GAO’s  five 
standards  of  internal  control.  Although  the  MIC  manual  discusses  the  control 
environment,  risk  assessment,  infonnation  and  communication  and  monitoring,  the  topics 
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are  not  clearly  delineated  by  standard.  The  manual  does  not  clearly  reflect  the  five 
standards  of  internal  control  throughout  the  body  of  the  text  as  standards.  The  MIC 
manual  should  be  written  as  a  representation  of  what  an  internal  management  control 
program  should  look  like,  so  that  readers  can  have  an  example  of  what  is  a  control 
environment.  By  using  titles  such  as  “The  Control  Environment,”  “Risk  Assessment,” 
“Control  Activities”  “Information  and  Communications”  and  “Monitoring”  throughout 
the  MIC  manual,  the  structure  of  the  manual  will  be  better-suited  for  assimilating  and 
applying  the  GAO  standards  and  tool  which  actually  helps  the  reader  “determine  what, 
where,  and  how  improvements  can  be  implemented”  (GAO-0 1-1008G,  2001,  p.  1). 

The  MIC  manual  should  encourage  managers  to  place  great  emphasis  on  using 
and  applying  GAO’s  tool  when  interpreting  and  understanding  the  five  standards  of 
internal  control.  Although  the  MIC  manual  lists  the  five  standards  of  control  on  page  17 
of  the  text,  the  manual  does  not  identify  the  GAO’s  tool  as  a  valuable  mechanism  for 
developing  or  assessing  existing  IC’s.  The  GAO  standards  are  an  effective  mechanism  to 
maintain  or  achieve  effective  internal  control. 

D.  CONCLUSION 

When  designed  well,  IMC  systems  increase  corporate  understanding  because  each 
member  of  the  organization  is  provided  the  necessary  tools  to  understand  the 
requirements  of  the  IC’s  within  their  entity.  Additionally,  a  well-designed  IMC  system 
provides  stakeholders  a  holistic  understanding  of  why  and  how  IC’s  impact  the 
organization.  When  a  manager  clearly  understands  the  IC’s  he  or  she  has  in  place, 
understands  the  interrelationship  and  value  of  those  IC’s  as  they  function  among  other 
entities  and  within  the  organization  as  a  whole,  corporate  understanding  is  strengthened 
and  a  firm  link  between  IC’s  and  the  organization’s  philosophies,  goals,  objectives,  and 
strategy  has  been  established. 

It  is  imperative  for  organizations  to  achieve  both  successful  alignments  of  existing 
IMC’s  (in  order  to  facilitate  a  successful  program)  as  well  as  gain  corporate  buy-in 
(Green  &  Ryan,  2005,  p.  45).  The  Standards  of  Internal  Management  Control  are 
designed  to  link  philosophies  with  other  pertinent  statutory  and  regulatory  concepts. 
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Ultimately,  by  linking  the  IMC  management  philosophies  of  pertinent  regulatory  and 
statutory  documents  and  realigning  the  format  to  coincide  with  the  five  standards  of 
internal  control,  the  MIC  manual  can  better  articulate  the  necessity  for  IC’s  and 
strengthen  its  ease  of  use. 
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APPENDIX  A 


A.  OTHER  STATUTORY  AND  REGULATORY  REFERENCES  THAT 
INDIRECTLY  CONTRIBUTED  TO  THE  INFLUENCE  OF  THE  DON’S 
MIC  PROGRAM 


Deputy  Secretary  of  Defense  Memorandum,  “Establishment  of  the  Senior  Financial 
Management  Oversight  Council,”  July  14,  1993 


Department  of  Defense  (DoD)  5000.1,  “The  Defense  Acquisition  System,”  May  12,  2003 


Department  of  Defense  (DoD)  Directive  51 18.3,  “Under  Secretary  of  Defense 
(Comptroller)  (USD(C))/Chief  Financial  Officer  (CFO),  Department  of  Defense,” 
January  6,  1997 


Department  of  Defense  (DoD)  7000. 14-R,  “DoD  Financial  Management  Regulation,” 
current  edition,  authorized  by  DoD  Instruction  7000.14,  November  15,  1992 


Department  of  Defense  (DoD)  8000.1,  “Management  of  DoD  Information  Resources  and 
Information  Technology,”  February  27,  2002 


Department  of  Defense  (DoD)  8910. 1-M,  DoD  Procedures  for  Management  of 
Information  Requirements,  November  28,  1986,  authorized  by  DoD  Directive  8910.1, 
June  11,  1993 

Federal  Accounting  Standards  Advisory  Board  (FASAB),  Generally  Accepted 
Accounting  Principles  (GAAP),  multiple  dates,  can  be  found  at 
http  ://www.  fasab .  gov/ accepted  .html 


General  Accounting  Office  (GAO)  Policy  and  Procedures  Manual  for  Guidance  of 
Federal  Agencies,  “Title  II  Accounting,”  May  1988 


Office  of  Management  and  Budget  Memorandum  A-l  1,  Preparation,  Submission  and 
Execution  of  the  Budget,  July  16,  2004 


Office  of  Management  and  Budget  (OMB)  Bulletin  No.  01-09,  “Form  and  Content  of 
Agency  Financial  Statements,”  September,  25,  2001 
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Office  of  Management  and  Budget  (OMB)  Circular  A-76,  Performance  of  Commercial 
Activities,  May  29,  2003 


Office  of  Management  and  Budget  Circular  (OMB)  A- 130  (Revised),  “Management  of 
Federal  Information  Resources,”  November  28,  2000 


Office  of  Management  and  Budget  Circular  (OMB)  Circular  No.  A-136,  “Financial 
Reporting  Requirements,”  December  21,  2004 


Office  of  Management  and  Budget  Memorandum,  “Year-End  Internal 
Control  Report,”  current  edition 

Secretary  of  Defense  Memorandum,  “Revised  Federal  Managers’  Financial 
Integrity  Act  Implementation,”  February  12,  1994 


Secretary  of  Defense  Memorandum,  “Guidance  to  Implement  Secretary  of 
Defense  Federal  Managers’  Financial  Integrity  Act  Direction,”  April  18,  1994 

Secretary  of  Navy  Instruction  (SECNAVINST)  5430. 7N,  “Assignment  of 
Responsibilities  and  Authorities  in  the  Office  of  the  Secretary  of  the  Navy”  June  9,  2005 

Secretary  of  Navy  Instruction  (SECNAVINST)  5214.1,  “Department  of  the  Navy 
Information  Requirements  (Reports)  Manual,”  December  2005 

Section  101  of  title  6,  United  States  Code 

Section  501  of  title  31,  United  States  Code 

Section  1101  of  title  31,  United  States  Code 

Sections  3512  and  3515  of  title  31,  United  States  Code  (as  amended  by  the 
Government  Management  Reform  Act  of  1994,  Public  Law  103-356,  January 
25, 1994 

Section  7501  of  title  31,  United  States  Code 

Statements  of  Federal  Financial  Accounting  Standards  (through  1996  and  as  issued  by 
Office  of  Management  and  Budget) 

Statements  of  Federal  Financial  Accounting  Standards  (through  1996  and  as  issued 
by  Office  of  Management  and  Budget) 
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Treasury  Financial  Manual,  Volume  1:  Federal  Agencies,  United  States  Department  of 
the  Treasury,  Financial  Management  Service,  latest  version,  can  be  found  at 
http://www.fms.treas.gov/tfm 

United  States  Navy  Regulations,  1990 

United  States  Standard  General  Ledger  (USSGL),  latest  version,  can  be  found  at 
http://www.whitehouse.gov/omb/bulletins/b01-09.html 
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APPENDIX  B 


A.  GAO’S  INTERNAL  CONTROL  MANAGEMENT  AND  EVALUATION 
TOOL  (GAO  TOOL) 

Appendix  B  provides  a  detailed  list  of  the  points  and  subsidiary  points  provided  in 
the  GAO  tool.  The  GAO  tool  does  define  the  five  standards,  however,  that  portion  was 
removed  because  Chapter  III  provided  that  detail.  This  structured  approach  is  used  to 
describe  overall  finding  in  this  report  (GAO-0 1-1008G,  2001). 

CONTROL  ENVIRONMENT 


Integrity  and  Ethical  Values 

1.  The  agency  has  established  and  uses  a  formal  code  or  codes  of  conduct  and  other 
policies  communicating  appropriate  ethical  and  moral  behavioral  standards  and 
addressing  acceptable  operational  practices  and  conflicts  of  interest.  Consider  the 
following: 

•  The  codes  are  comprehensive  in  nature  and  directly  address  issues  such  as  improper 
payments,  appropriate  use  of  resources,  conflicts  of  interest,  political  activities  of 
employees,  acceptance  of  gifts  or  donations  or  foreign  decorations,  and  use  of  due 
professional  care. 

•  The  codes  are  periodically  acknowledged  by  signature  from  all  employees. 

•  Employees  indicate  that  they  know  what  kind  of  behavior  is  acceptable  and 
unacceptable,  what  penalties  unacceptable  behavior  may  bring,  and  what  to  do  if  they 
become  aware  of  unacceptable  behavior. 

2.  An  ethical  tone  has  been  established  at  the  top  of  the  organization  and  has  been 
communicated  throughout  the  agency.  Consider  the  following: 

•  Management  fosters  and  encourages  an  agency  culture  that  emphasizes  the 
importance  of  integrity  and  ethical  values.  This  might  be  achieved  through  oral 
communications  in  meetings,  via  one-on-one  discussions,  and  by  example  in  day-to- 
day  activities. 

•  Employees  indicate  that  peer  pressure  exists  for  appropriate  moral  and  ethical 
behavior. 

•  Management  takes  quick  and  appropriate  action  as  soon  as  there  are  any  signs  that  a 
problem  may  exist. 

3.  Dealings  with  the  public,  Congress,  employees,  suppliers,  auditors,  and  others  are 
conducted  on  a  high  ethical  plane.  Consider  the  following: 

•  Financial,  budgetary,  and  operational/programmatic  reports  to  Congress,  OMB, 
Treasury,  the  Office  of  Personnel  Management  (OPM),  and  the  public  are  proper  and 
accurate  (not  intentionally  misleading). 
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•  Management  cooperates  with  auditors  and  other  evaluators,  discloses  known 
problems  to  them,  and  values  their  comments  and  recommendations. 

•  Underbillings  by  suppliers  or  overpayments  by  users  or  customers  are  quickly 
corrected. 

•  The  agency  has  a  well-defined  and  understood  process  for  dealing  with  employee 
claims  and  concerns  in  a  timely  and  appropriate  manner. 

4.  Appropriate  disciplinary  action  is  taken  in  response  to  departures  from  approved 

policies  and  procedures  or  violations  of  the  code  of  conduct.  Consider  the  following: 

•  Management  takes  action  when  there  are  violations  of  policies,  procedures,  or  the 
code(s)  of  conduct. 

•  The  types  of  disciplinary  actions  that  can  be  taken  are  widely  communicated 
throughout  the  agency  so  that  others  know  that  if  they  behave  improperly,  they  will 
face  similar  consequences. 

5.  Management  appropriately  addresses  intervention  or  overriding  internal  control. 

Consider  the  following: 

•  Guidance  exists  concerning  the  circumstances  and  frequency  with  which  intervention 
may  be  needed,  and  the  management  levels  which  may  take  such  action. 

•  Any  intervention  or  overriding  of  internal  control  is  fully  documented  as  to  reasons 
and  specific  actions  taken. 

•  Overriding  of  internal  control  by  low-level  management  personnel  is  prohibited 
except  in  emergency  situations,  and  upper-level  management  is  immediately  notified 
and  the  circumstances  are  documented. 

6.  Management  removes  temptation  for  unethical  behavior.  Consider  the  following: 

•  Management  has  a  sound  basis  for  setting  realistic  and  achievable  goals  and  does  not 
pressure  employees  to  meet  unrealistic  ones. 

•  Management  provides  fair,  nonextreme  incentives  (as  opposed  to  unfair  and 
unnecessary  temptations)  to  help  ensure  integrity  and  adherence  to  ethical  values. 

•  Compensation  and  promotion  are  based  on  achievements  and  performance. 

Commitment  to  Competence 

1.  Management  has  identified  and  defined  the  tasks  required  to  accomplish 

particular  jobs  and  fill  the  various  positions.  Consider  the  following: 

•  Management  has  analyzed  the  tasks  that  need  to  be  performed  for  particular  jobs  and 
given  consideration  to  such  things  as  the  level  of  judgment  required  and  the  extent  of 
supervision  necessary. 

•  Formal  job  descriptions  or  other  means  of  identifying  and  defining  specific  tasks 
required  for  job  positions  have  been  established  and  are  up-to-date. 

2.  The  agency  has  performed  analyses  of  the  knowledge,  skills,  and  abilities  needed 

to  perform  jobs  appropriately.  Consider  the  following: 

•  The  knowledge,  skills,  and  abilities  needed  for  various  jobs  have  been  identified  and 
made  known  to  employees. 

•  Evidence  exists  that  the  agency  attempts  to  assure  that  employees  selected  for  various 
positions  have  the  requisite  knowledge,  skills,  and  abilities. 
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3.  The  agency  provides  training  and  counseling  in  order  to  help  employees  maintain 
and  improve  their  competence  for  their  jobs.  Consider  the  following: 

•  There  is  an  appropriate  training  program  to  meet  the  needs  of  all  employees. 

•  The  agency  emphasizes  the  need  for  continuing  training  and  has  a  control  mechanism 
to  help  ensure  that  all  employees  actually  received  appropriate  training. 

•  Supervisors  have  the  necessary  management  skills  and  have  been  trained  to  provide 
effective  job  perfonnance  counseling. 

•  Performance  appraisals  are  based  on  an  assessment  of  critical  job  factors  and  clearly 
identify  areas  in  which  the  employee  is  perfonning  well  and  areas  that  need 
improvement. 

•  Employees  are  provided  candid  and  constructive  job  perfonnance  counseling. 

4.  Key  senior-level  employees  have  a  demonstrated  ability  in  general  management 
and  extensive  practical  experience  in  operating  governmental  or  business  entities. 

Management’s  Philosophy  and  Operating  Style 

1.  Management  has  an  appropriate  attitude  toward  risktaking,  and  proceeds  with 
new  ventures,  missions,  or  operations  only  after  carefully  analyzing  the  risks 
involved  and  determining  how  they  may  be  minimized  or  mitigated. 

2.  Management  enthusiastically  endorses  the  use  of  performance-based 
management. 

3.  There  has  not  been  excessive  personnel  turnover  in  key  functions,  such  as 
operations  and  program  management,  accounting,  or  internal  audit,  that  would 
indicate  a  problem  with  the  agency’s  emphasis  on  internal  control.  Consider  the 
following: 

•  There  has  not  been  excessive  turnover  of  supervisory  personnel  related  to  internal 
control  problems,  and  there  is  a  strategy  for  dealing  with  turnover  related  to 
constraints  and  limitations  such  as  salary  caps. 

•  Key  personnel  have  not  quit  unexpectedly. 

•  Personnel  turnover  has  not  been  so  great  as  to  impair  internal  control  as  a  result  of 
employing  many  people  new  to  their  jobs  and  unfamiliar  with  the  control  activities 
and  responsibilities. 

•  There  is  no  pattern  to  personnel  turnover  that  would  indicate  a  problem  with  the 
emphasis  that  management  places  on  internal  control. 

4.  Management  has  a  positive  and  supportive  attitude  toward  the  functions  of 
accounting,  information  management  systems,  personnel  operations,  monitoring, 
and  internal  and  external  audits  and  evaluations.  Consider  the  following: 

•  The  financial  accounting  and  budgeting  operations  are  considered  essential  to  the 
well-being  of  the  organization  and  viewed  as  methods  for  exercising  control  over  the 
entity’s  various  activities. 

•  Management  regularly  relies  on  accounting/financial  and  programmatic  data  from  its 
systems  for  decision  making  purposes  and  perfonnance  evaluation. 

•  If  the  accounting  operation  is  decentralized,  unit  accounting  personnel  also  have 
reporting  responsibility  to  the  central  financial  officer(s). 
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•  The  financial  management,  accounting  operations,  and  budget  execution  operations 
are  under  the  direction  of  the  Chief  Financial  Officer  (CFO)  and  strong 
synchronization  and  coordination  exists  between  budgetary  and  proprietary  financial 
accounting  activities. 

•  Management  looks  to  the  information  management  function  for  critical  operating  data 
and  supports  efforts  to  make  improvements  in  the  systems  as  technology  advances. 

•  Personnel  operations  have  a  high  priority  and  senior  executives  emphasize  the 
importance  of  good  human  capital  management. 

•  Management  places  a  high  degree  of  importance  on  the  work  of  the  Inspector 
General,  external  audits,  and  other  evaluations  and  studies  and  is  responsive  to 
information  developed  through  such  products. 

5.  Valuable  assets  and  information  are  safeguarded  from  unauthorized  access  or 
use. 

6.  There  is  frequent  interaction  between  senior  management  and  operating/program 
management,  especially  when  operating  from  geographically  dispersed  locations. 

7.  Management  has  an  appropriate  attitude  toward  financial,  budgetary,  and 
operational/programmatic  reporting.  Consider  the  following: 

•  Management  is  infonned  and  involved  in  critical  financial  reporting  issues  and 
supports  a  conservative  approach  toward  the  application  of  accounting  principles 
and  estimates. 

•  Management  discloses  all  financial,  budgetary,  and  programmatic  information 
needed  to  fully  understand  the  operations  and  financial  condition  of  the  agency. 

•  Management  avoids  focus  on  short-term  reported  results. 

•  Personnel  do  not  submit  inappropriate  or  inaccurate  reports  in  order  to  meet 
targets. 

•  Facts  are  not  exaggerated  and  budgetary  estimates  are  not  stretched  to  a  point  of 
unreasonableness. 

Organizational  Structure 

1.  The  agency’s  organizational  structure  is  appropriate  for  its  size  and  the  nature  of 
its  operations.  Consider  the  following: 

•  The  organizational  structure  facilitates  the  flow  of  information  throughout  the  agency. 

•  The  organizational  structure  is  appropriately  centralized  or  decentralized,  given  the 
nature  of  its  operations,  and  management  has  clearly  articulated  the  considerations 
and  factors  taken  into  account  in  balancing  the  degree  of  centralization  versus 
decentralization. 

2.  Key  areas  of  authority  and  responsibility  are  defined  and  communicated 
throughout  the  organization. 

•  Executives  in  charge  of  major  activities  or  functions  are  fully  aware  of  their  duties 
and  responsibilities. 

•  An  accurate  and  updated  organizational  chart  showing  key  areas  of  responsibility  is 
provided  to  all  employees. 

•  Executives  and  key  managers  understand  their  internal  control  responsibilities  and 
ensure  that  their  staff  also  understand  their  own  responsibilities. 
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3.  Appropriate  and  clear  internal  reporting  relationships  have  been  established. 
Consider  the  following: 

•  Reporting  relationships  have  been  established  and  effectively  provide  managers 
information  they  need  to  carry  out  their  responsibilities  and  perform  their  jobs. 

•  Employees  are  aware  of  the  established  reporting  relationships. 

•  Mid-level  managers  can  easily  communicate  with  senior  operating  executives. 

4.  Management  periodically  evaluates  the  organizational  structure  and  makes 
changes  as  necessary  in  response  to  changing  conditions. 

5.  The  agency  has  the  appropriate  number  of  employees,  particularly  in  managerial 
positions.  Consider  the  following: 

•  Managers  and  supervisors  have  time  to  carry  out  their  duties  and  responsibilities. 

•  Employees  do  not  have  to  work  excessive  overtime  or  outside  the  ordinary  workweek 
to  complete  assigned  tasks. 

•  Managers  and  supervisors  are  not  fulfilling  the  roles  of  more  than  one  employee. 

Assignment  of  Authority  and  Responsibility 

1.  The  agency  appropriately  assigns  authority  and  delegates  responsibility  to  the 
proper  personnel  to  deal  with  organizational  goals  and  objectives.  Consider  the 
following: 

•  Authority  and  responsibility  are  clearly  assigned  throughout  the  organization  and  this 
is  clearly  communicated  to  all  employees. 

•  Responsibility  for  decision-making  is  clearly  linked  to  the  assignment  of  authority, 
and  individuals  are  held  accountable  accordingly. 

•  Along  with  increased  delegation  of  authority  and  responsibility,  management  has 
effective  procedures  to  monitor  results. 

2.  Each  employee  knows  (1)  how  his  or  her  actions  interrelate  to  others  considering 
the  way  in  which  authority  and  responsibilities  are  assigned,  and  (2)  is  aware  of  the 
related  duties  concerning  internal  control.  Consider  the  following: 

•  Job  descriptions  clearly  indicate  the  degree  of  authority  and  accountability  delegated 
to  each  position  and  the  responsibilities  assigned. 

•  Job  descriptions  and  performance  evaluations  contain  specific  references  to  internal 
control-related  duties,  responsibilities,  and  accountability. 

3.  The  delegation  of  authority  is  appropriate  in  relation  to  the  assignment  of 
responsibility.  Consider  the  following: 

•  Employees  at  the  appropriate  levels  are  empowered  to  correct  problems  or  implement 
improvements. 

•  There  is  an  appropriate  balance  between  the  delegation  of  authority  at  lower  levels  to 
.get  the  job  done,  and  the  involvement  of  senior-level  personnel. 

Human  Resource  Policies  and  Practices 

1.  Policies  and  procedures  are  in  place  for  hiring,  orienting,  training,  evaluating, 
counseling,  promoting,  compensating,  disciplining,  and  terminating  employees. 
Consider  the  following: 
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•  Management  communicates  information  to  recruiters  about  the  type  of  competencies 
needed  for  the  work  or  participates  in  the  hiring  process. 

•  The  agency  has  standards  or  criteria  for  hiring  qualified  people,  with  emphasis  on 
education,  experience,  accomplishment,  and  ethical  behavior. 

•  Position  descriptions  and  qualifications  are  in  accordance  with  OPM  guidance  and 
standardized  throughout  the  agency  for  similar  jobs. 

•  A  training  program  has  been  established  and  includes  orientation  programs  for  new 
employees  and  ongoing  training  for  all  employees. 

•  Promotion,  compensation,  and  rotation  of  employees  are  based  on  periodic 
performance  appraisals. 

•  Performance  appraisals  are  linked  to  the  goals  and  objectives  included  in  the  agency’s 
strategic  plan. 

•  The  importance  of  integrity  and  ethical  values  is  reflected  in  performance  appraisal 
criteria. 

•  Employees  are  provided  with  appropriate  feedback  and  counseling  on  their  job 
performance  and  suggestions  for  improvements. 

•  Disciplinary  or  remedial  action  is  taken  in  response  to  violations  of  policies  or  ethical 
standards. 

•  Employment  is  terminated,  following  established  policies,  when  performance  is 
consistently  below  standards  or  there  are  significant  and  serious  violations  of  policy. 

•  Management  has  established  criteria  for  employee  retention  and  considers  the  effect 
upon  operations  if  large  numbers  of  employees  are  expected  to  leave  or  retire  in  a 
given  period. 

2.  Background  checks  are  conducted  on  candidates  for  employment.  Consider  the 
following: 

•  Candidates  who  change  jobs  often  are  given  particularly  close  attention. 

•  Hiring  standards  require  investigations  for  criminal  records  for  all  potential 
employees. 

•  References  and  previous  employers  are  contacted. 

•  Educational  and  professional  certifications  are  confirmed. 

3.  Employees  are  provided  a  proper  amount  of  supervision.  Consider  the  following: 

•  Employees  receive  guidance,  review,  and  on-the-job  training  from  supervisors  to  help 
ensure  proper  work  flow  and  processing  of  transactions  and  events,  reduce 
misunderstandings,  and  discourage  wrongful  acts. 

•  Supervisory  personnel  ensure  that  staffs  are  aware  of  their  duties  and  responsibilities 
and  management’s  expectations. 

Oversight  Groups 

1.  Within  the  agency,  there  are  mechanisms  in  place  to  monitor  and  review 
operations  and  programs.  Consider  the  following: 

•  An  Inspector  General,  who  is  independent  from  management,  audits  and  reviews 
agency  activities. 
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•  The  agency  has  an  audit  committee  or  senior  management  council  consisting  of  high- 
level  line  and  staff  executives  that  review  the  internal  audit  work  and  coordinate 
closely  with  the  Inspector  General  and  external  auditors. 

•  If  there  is  an  internal  audit  operation  it  reports  to  the  agency  head. 

•  The  internal  audit  function  reviews  that  agency’s  activities  and  systems  and  provides 
information,  analyses,  appraisals,  recommendations,  and  counsel  to  management. 

2.  The  agency  works  closely  with  executive  branch  oversight  organizations. 

Consider  the  following: 

•  The  agency  has  a  good  working  relationship  with  OMB,  and  major  officials, 
including  the  CFO,  meet  regularly  with  OMB  personnel  to  discuss  areas  such  as 
financial  and  budgetary  reporting,  internal  control,  and  management’s  performance. 

•  High-level  agency  personnel  maintain  good  working  relationships  with  other 
executive  branch  agencies  that  exercise  multi-agency  control  responsibilities,  such  as 
the  Department  of  the  Treasury,  the  General  Services  Administration,  and  OPM. 

3.  The  agency  maintains  a  close  relationship  with  Congress  in  general  and  oversight 

committees  in  particular.  Consider  the  following: 

•  The  agency  provides  Congress  and  oversight  committees  with  timely  and  accurate 
information  to  allow  monitoring  of  agency  activities,  including  review  of  the 
agency’s  (1)  mission  and  goals,  (2)  performance  reporting,  and  (3)  financial  position 
and  operating  results. 

•  Agencies  may  or  may  not  have  an  internal  audit  function  separate  and  apart  from  the 
Inspector  General. 

•  High-level  agency  officials  meet  regularly  with  congressional  and  GAO  staff  to 
discuss  major  issues  affecting  operations,  internal  control,  performance,  and  other 
major  agency  activities  and  programs. 

RISK  ASSESSMENT 


Establishment  of  Entity  wide  Objectives 

1.  The  agency  has  established  entity  wide  objectives  that  provide  sufficiently  broad 
statements  and  guidance  about  what  the  agency  is  supposed  to  achieve,  yet  are 
specific  enough  to  relate  directly  to  the  agency.  Consider  the  following: 

•  Management  has  established  overall  entity  wide  objectives  in  the  form  of  mission, 
goals,  and  objectives,  such  as  those  defined  in  strategic  and  annual  performance  plans 
developed  under  the  GPRA. 

•  The  entity  wide  objectives  relate  to  and  stem  from  program  requirements  established 
by  legislation. 

•  The  entitywide  objectives  are  specific  enough  to  clearly  apply  to  the  agency  instead 
of  applying  to  all  agencies. 

2.  Entity  wide  objectives  are  clearly  communicated  to  all  employees,  and 
management  obtains  feedback  signifying  that  the  communication  has  been  effective. 

3.  There  is  a  relationship  and  consistency  between  the  agency’s  operational 
strategies  and  the  entity  wide  objectives.  Consider  the  following: 
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•  Strategic  plans  support  the  entity  wide  objectives. 

•  Strategic  plans  address  resource  allocations  and  priorities. 

•  Strategic  plans  and  budgets  are  designed  with  an  appropriate  level  of  detail  for 
various  management  levels. 

•  Assumptions  made  in  strategic  plans  and  budgets  are  consistent  with  the  agency’s 
historical  experience  and  current  circumstances. 

4.  The  agency  has  an  integrated  management  strategy  and  risk  assessment  plan  that 
considers  the  entity  wide  objectives  and  relevant  sources  of  risk  from  internal 
management  factors  and  external  sources  and  establishes  a  control  structure  to 
address  those  risks. 

Establishment  of  Activity-Level  Objectives 

1.  Activity-level  (program  or  mission-level)  objectives  flow  from  and  are  linked  with 
the  agency’s  entity  wide  objectives  and  strategic  plans.  Consider  the  following: 

•  All  significant  activities  are  adequately  linked  to  the  entity  wide  objectives  and 
strategic  plans. 

•  Activity-level  objectives  are  reviewed  periodically  to  assure  that  they  have  continued 
relevance. 

2.  Activity-level  objectives  are  complementary,  reinforce  each  other,  and  are  not 
contradictory. 

3.  The  activity-level  objectives  are  relevant  to  all  significant  agency  processes. 
Consider  the  following: 

•  Objectives  have  been  established  for  the  entire  key  operational  activities  and  the 
support  activities. 

•  Activity-level  objectives  are  consistent  with  effective  past  practices  and  performance, 
and  are  consistent  with  any  industry  or  business  norms  that  may  be  applicable  to  the 
agency’s  operations. 

4.  Activity-level  objectives  include  measurement  criteria. 

5.  Agency  resources  are  adequate  relative  to  the  activity  level  objectives.  Consider 
the  following: 

•  The  resources  needed  to  meet  the  objectives  have  been  identified. 

•  If  adequate  resources  are  not  available,  management  has  plans  to  acquire  them. 

6.  Management  has  identified  those  activity-level  objectives  that  are  critical  to  the 
success  of  the  overall  entity  wide  objectives.  Consider  the  following: 

•  Management  has  identified  the  things  that  must  occur  or  happen  if  the  entity  wide 
objectives  are  to  be  met. 

•  The  critical  activity-level  objectives  receive  particular  attention  and  review  from 
management  and  their  performance  is  monitored  regularly. 

7.  All  levels  of  management  are  involved  in  establishing  the  activity-level  objectives 
and  are  committed  to  their  achievement. 
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Risk  Identification 


1.  Management  comprehensively  identifies  risk  using  various  methodologies  as 

appropriate.  Consider  the  following: 

•  Qualitative  and  quantitative  methods  are  used  to  identify  risk  and  determine  relative 
risk  rankings  on  a  scheduled  and  periodic  basis. 

•  How  risk  is  to  be  identified,  ranked,  analyzed,  and  mitigated  is  communicated  to 
appropriate  staff. 

•  Risk  identification  and  discussion  occur  in  senior  level  management  conferences. 

•  Risk  identification  takes  place  as  a  part  of  short-term  and  long-tenn  forecasting  and 
strategic  planning. 

•  Risk  identification  occurs  as  a  result  of  consideration  of  findings  from  audits, 
evaluations,  and  other  assessments. 

•  Risks  that  are  identified  at  the  employee  and  mid-management  level  are  brought  to 
the  attention  of  senior-level  managers. 

2.  Adequate  mechanisms  exist  to  identify  risks  to  the  agency  arising  from  external 

factors.  Consider  the  following: 

•  The  agency  considers  the  risks  associated  with  technological  advancements  and 
developments. 

•  Consideration  is  given  to  risks  arising  from  the  changing  needs  or  expectations  of 
Congress,  agency  officials,  and  the  public. 

•  Risks  posed  by  new  legislation  or  regulations  are  identified. 

•  Risks  to  the  agency  as  a  result  of  possible  natural  catastrophes  or  criminal  or  terrorist 
actions  are  taken  into  account. 

•  Identification  of  risks  resulting  from  business,  political,  and  economic  changes  are 
determined. 

•  Consideration  is  given  to  the  risks  associated  with  major  suppliers  and  contractors. 

•  The  agency  carefully  considers  any  risks  resulting  from  its  interactions  with  various 
other  federal  entities  and  parties  outside  the  government. 

3.  Adequate  mechanisms  exist  to  identify  risks  to  the  agency  arising  from  internal 

factors.  Consider  the  following: 

•  Risks  resulting  from  downsizing  of  agency  operations  and  personnel  are  considered. 

•  The  agency  identifies  risks  associated  with  business  process  reengineering  or  redesign 
of  operating  processes. 

•  Consideration  is  given  to  risks  posed  by  disruption  of  information  systems  processing 
and  the  extent  to  which  backup  systems  are  available  and  can  be  implemented. 

•  The  agency  identifies  any  potential  risks  due  to  highly  decentralized  program 
operations. 

•  Consideration  is  given  to  possible  risks  resulting  from  the  lack  of  qualifications  of 
personnel  hired  or  the  extent  to  which  they  have  been  trained  or  not  trained. 

•  Risks  resulting  from  heavy  reliance  on  contractors  or  other  related  parties  to  perform 
critical  agency  operations  are  identified. 

•  The  agency  identifies  any  risks  that  might  be  associated  with  major  changes  in 
managerial  responsibilities. 
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•  Risks  resulting  from  unusual  employee  access  to  vulnerable  assets  are  considered. 

•  Risk  identification  activities  consider  certain  human  capital-related  risks,  such  as  the 
inability  to  provide  succession  planning  and  retain  key  personnel  who  can  affect  the 
ability  of  the  agency  or  program  activity  to  function  effectively,  and  the  inadequacy 
of  compensation  and  benefit  programs  to  keep  the  agency  competitive  with  the 
private  sector  for  labor. 

•  Risks  related  to  the  availability  of  future  funding  for  new  programs  or  the 
continuations  of  current  programs  are  assessed. 

4.  In  identifying  risk,  management  assesses  other  factors  that  may  contribute  to  or 
increase  the  risk  to  which  the  agency  is  exposed.  Consider  the  following: 

•  Management  considers  any  risks  related  to  past  failures  to  meet  agency  missions, 
goals,  or  objectives  or  failures  to  meet  budget  limitations. 

•  Consideration  is  given  to  risks  indicated  by  a  history  of  improper  program 
expenditures,  violations  of  funds  control,  or  other  statutory  noncompliance. 

•  The  agency  identifies  any  risks  inherent  to  the  nature  of  its  mission  or  to  the 
significance  and  complexity  of  any  specific  programs  or  activities  it  undertakes. 

5.  Management  identifies  risks  both  entitywide  and  for  each  significant  activity-level 
of  the  agency. 

Risk  Analysis 

1.  After  the  risks  to  the  agency  have  been  identified,  management  undertakes  a 
thorough  and  complete  analysis  of  their  possible  effect.  Consider  the  following: 

•  Management  has  established  a  fonnal  process  to  analyze  risks,  and  that  process  may 
include  informal  analysis  based  on  day-to-day  management  activities. 

•  Criteria  have  been  established  for  detennining  low,  medium,  and  high  risks. 

•  Appropriate  levels  of  management  and  employees  are  involved  in  the  risk  analysis. 

•  The  risks  identified  and  analyzed  are  relevant  to  the  corresponding  activity  objective. 

•  Risk  analysis  includes  estimating  the  risk’s  significance. 

•  Risk  analysis  includes  estimating  the  likelihood  and  frequency  of  occurrence  of  each 
risk  and  determining  whether  it  falls  into  the  low,  medium,  or  high-risk  category. 

•  A  detennination  is  made  on  how  best  to  manage  or  mitigate  the  risk  and  what  specific 
actions  should  be  taken. 

2.  Management  has  developed  an  approach  for  risk  management  and  control  based 
on  how  much  risk  can  be  prudently  accepted.  Consider  the  following: 

•  The  approach  can  vary  from  one  agency  to  another  depending  upon  variances  in  risks 
and  how  much  risk  can  be  tolerated,  but  seems  appropriate  to  the  agency. 

•  The  approach  is  designed  to  keep  risks  within  levels  judged  to  be  appropriate  and 
management  takes  responsibility  for  setting  the  tolerable  risk  level. 

•  Specific  control  activities  are  decided  upon  to  manage  or  mitigate  specific  risks  entity 
wide  and  at  each  activity  level,  and  their  implementation  is  monitored. 
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Managing  Risk  during  Change 

1.  The  agency  has  mechanisms  in  place  to  anticipate,  identify,  and  react  to  risks 
presented  by  changes  in  governmental,  economic,  industry,  regulatory,  operating,  or 
other  conditions  that  can  affect  the  achievement  of  entitywide  or  activity-level  goals 
and  objectives.  Consider  the  following: 

•  All  activities  within  the  agency  that  might  be  significantly  affected  by  changes  are 
considered  in  the  process. 

•  Routine  changes  are  addressed  through  the  established  risk  identification  and  analysis 
processes. 

•  Risks  resulting  from  conditions  that  are  significantly  changing  are  addressed  at 
sufficiently  high  levels  within  the  agency  so  that  their  full  impact  on  the  organization 
is  considered  and  appropriate  actions  are  taken. 

2.  The  agency  gives  special  attention  to  risks  presented  by  changes  that  can  have  a 
more  dramatic  and  pervasive  effect  on  the  entity  and  may  demand  the  attention  of 
senior  officials.  Consider  the  following: 

•  The  agency  is  especially  attentive  to  risks  caused  by  the  hiring  of  new  personnel  to 
occupy  key  positions  or  by  high  personnel  turnover  in  any  particular  area. 

•  Mechanisms  exist  to  assess  the  risks  posed  by  the  introduction  of  new  or  changed 
information  systems  and  risks  involved  in  training  employees  to  use  the  new  systems 
and  to  accept  the  changes. 

•  Management  gives  special  consideration  to  the  risks  presented  by  rapid  growth  and 
expansion  or  rapid  downsizing  and  the  effects  on  systems  capabilities  and  revised 
strategic  plans,  goals,  and  objectives. 

•  Consideration  is  given  to  the  risks  involved  when  introducing  major  new 
technological  developments  and  applications  and  incorporating  them  into  the 
operating  processes. 

•  The  risks  are  extensively  analyzed  whenever  the  agency  begins  the  production  or 
provision  of  new  outputs  or  services. 

•  Risks  resulting  from  the  establishment  of  operations  in  a  new  geographical  area  are 
assessed. 

CONTROL  ACTIVITIES 


General  Application 

1.  Appropriate  policies,  procedures,  techniques,  and  mechanisms  exist  with  respect 
to  each  of  the  agency’s  activities.  Consider  the  following: 

•  All  relevant  objectives  and  associated  risks  for  each  significant  activity  have  been 
identified  in  conjunction  with  conducting  the  risk  assessment  and  analysis  function. 

•  Management  has  identified  the  actions  and  control  activities  needed  to  address  the 
risks  and  directed  their  implementation. 


79 


2.  The  control  activities  identified  as  necessary  are  in  place  and  being  applied. 
Consider  the  following: 

•  Control  activities  described  in  policy  and  procedures  manuals  are  actually  applied  and 
applied  properly. 

•  Supervisors  and  employees  understand  the  purpose  of  internal  control  activities. 

•  Supervisory  personnel  review  the  functioning  of  established  control  activities  and 
remain  alert  for  instances  in  which  excessive  control  activities  should  be  streamlined. 

•  Timely  action  is  take  on  exceptions,  implementation  problems,  or  infonnation  that 
requires  follow-up. 

3.  Control  activities  are  regularly  evaluated  to  ensure  that  they  are  still  appropriate 
and  working  as  intended. 

Common  Categories  of  Control  Activities 

1.  Top-Level  Reviews  .  Management  tracks  major  agency  achievements  in  relation 
to  its  plans.  Consider  the  following: 

•  Top-level  management  regularly  reviews  actual  performance  against  budgets, 
forecasts,  and  prior  period  results. 

•  Top  management  is  involved  in  developing  5-year  and  annual  perfonnance  plans  and 
targets  in  accordance  with  GPRA  and  measuring  and  reporting  results  against  those 
plans  and  targets. 

•  Major  agency  initiatives  are  tracked  for  target  achievement  and  follow-up  actions  are 
taken. 

2.  Management  Reviews  at  the  Functional  or  Activity  Level  .  Agency  managers 
review  actual  performance  against  targets.  Consider  the  following: 

•  Managers  at  all  activity  levels  review  performance  reports,  analyze  trends,  and 
measure  results  against  targets. 

•  Both  financial  and  program  managers’  review  and  compare  financial,  budgetary,  and 
operational  performance  to  planned  or  expected  results. 

•  Appropriate  control  activities  are  employed,  such  as  reconciliations  of  summary 
information  to  supporting  detail  and  checking  the  accuracy  of  summarizations  of 
operations. 

3.  Management  of  Human  Capital  .  The  agency  effectively  manages  the 
organization’s  workforce  to  achieve  results.  Consider  the  following: 

•  A  clear  and  coherent  shared  vision  of  agency  mission,  goals,  values,  and  strategies  is 
explicitly  identified  in  the  strategic  plan,  annual  performance  plan,  and  other  guiding 
documents,  and  that  view  has  been  clearly  and  consistently  communicated  to  all 
employees. 

•  The  agency  has  a  coherent  overall  human  capital  strategy,  as  evidenced  in  its  strategic 
plan,  performance  plan,  or  separate  human  capital  planning  document;  and  that 
strategy  encompasses  human  capital  policies,  programs,  and  practices  to  guide  the 
agency. 

•  The  agency  has  a  specific  and  explicit  workforce  planning  strategy,  linked  to  the 
overall  strategic  plan,  and  that  allows  for  identification  of  current  and  future  human 
capital  needs. 


80 


•  The  agency  has  defined  the  type  of  leaders  it  wants  through  written  descriptions  of 
roles,  responsibilities,  attributes,  and  competencies  and  has  established  broad 
performance  expectations  for  them. 

•  Senior  leaders  and  managers  attempt  to  build  teamwork,  reinforce  the  shared  vision 
of  the  agency,  and  encourage  feedback  from  employees,  as  evidenced  by  actions 
taken  to  communicate  this  to  all  employees  and  the  existence  of  opportunities  for 
management  to  obtain  feedback. 

•  The  agency’s  performance  management  system  is  given  a  high  priority  by  top-level 
officials,  and  it  is  designed  to  guide  the  workforce  to  achieve  the  agency’s  shared 
vision/mission. 

•  Procedures  are  in  place  to  ensure  that  personnel  with  appropriate  competencies  are 
recruited  and  retained  for  the  work  of  the  agency,  including  a  formal  recruiting  and 
hiring  plan  with  explicit  links  to  skill  needs  the  agency  has  identified. 

•  Employees  are  provided  orientation,  training,  and  tools  to  perform  their  duties  and 
responsibilities,  improve  performance,  enhance  their  capabilities,  and  meet  the 
demands  of  changing  organizational  needs. 

•  The  compensation  system  is  adequate  to  acquire,  motivate,  and  retain  personnel,  and 
incentives  and  rewards  are  provided  to  encourage  personnel  to  perform  at  maximum 
capability. 

•  The  agency  provides  workplace  flexibilities,  services,  and  facilities  (e.g.,  career 
counseling,  flextime,  casual-dress  days,  and  childcare)  to  help  it  compete  for  talent 
and  enhance  employee  satisfaction  and  commitment. 

•  Qualified  and  continuous  supervision  is  provided  to  ensure  that  internal  control 
objectives  are  being  met. 

•  Meaningful,  honest,  constructive  performance  evaluation  and  feedback  are  provided 
to  help  employees  understand  the  connection  between  their  perfonnance  and  the 
achievement  of  the  agency’s  goals. 

•  Management  conducts  succession  planning  to  ensure  continuity  of  needed  skills  and 
abilities. 

4.  Information  Processing.  The  agency  employs  a  variety  of  control  activities  suited 

to  information  processing  systems  to  ensure  accuracy  and  completeness.  Consider 

the  following: 

•  Edit  checks  are  used  in  controlling  data  entry. 

•  Accounting  for  transactions  is  performed  in  numerical  sequences. 

•  File  totals  are  compared  with  control  accounts. 

•  Exceptions  or  violations  indicated  by  other  control  activities  are  examined  and  acted 
upon. 

•  Access  to  data,  files,  and  programs  is  appropriately  controlled. 

5.  Physical  Control  Over  Vulnerable  Assets  .  The  agency  employs  physical  control  to 

secure  and  safeguard  vulnerable  assets.  Consider  the  following: 

•  Physical  safeguarding  policies  and  procedures  have  been  developed,  implemented, 
and  communicated  to  all  employees. 

•  The  agency  has  developed  a  disaster  recovery  plan,  which  is  regularly  updated  and 
communicated  to  employees. 
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•  The  agency  has  developed  a  plan  for  the  identification  of  and  protection  of  any 
critical  infrastructure  assets. 

•  Assets  that  are  particularly  vulnerable  to  loss,  theft,  damage,  or  unauthorized  use, 
such  as  cash,  securities,  supplies,  inventories,  and  equipment,  are  physically  secured 
and  access  to  them  controlled. 

•  Assets  such  as  cash,  securities,  supplies,  inventories,  and  equipment  are  periodically 
counted  and  compared  to  control  records  and  exceptions  examined. 

•  Cash  and  negotiable  securities  are  maintained  under  lock  and  key  and  access  to  them 
strictly  controlled. 

•  Forms  such  as  blank  checks  and  purchase  orders  are  sequentially  pre-numbered  and 
physically  secured  and  access  to  them  strictly  controlled. 

•  Mechanical  check  signers  and  signature  plates  are  physically  protected  and  access  to 
them  strictly  controlled. 

•  Equipment  vulnerable  to  theft  is  securely  fastened  or  protected  in  some  other  manner. 

•  Identification  plates  and  numbers  are  affixed  to  office  furniture  and  fixtures, 
equipment,  and  other  portable  assets.  Critical  infrastructure  assets  are  those  assets  of 
physical  and  cyber-based  systems  that  are  essential  to  the  minimum  operations  of  the 
economy  and  government.  Inventories,  supplies,  and  finished  items/goods  are  stored 
in  physically  secured  areas  and  protected  from  damage. 

•  Facilities  are  protected  from  fire  by  fire  alarms  and  sprinkler  systems. 

•  Access  to  premises  and  facilities  is  controlled  by  fences,  guards,  and/or  other  physical 
controls. 

•  Access  to  facilities  is  restricted  and  controlled  during  nonworking  hours. 

6.  Performance  Measures  and  Indicators  .  The  agency  has  established  and  monitors 

performance  measures  and  indicators.  Consider  the  following: 

•  Performance  measures  and  indicators  have  been  established  throughout  the 
organization  at  the  entitywide,  activity,  and  individual  level. 

•  The  agency  periodically  reviews  and  validates  the  propriety  and  integrity  of  both 
organizational  and  individual  perfonnance  measures  and  indicators. 

•  Performance  measurement  assessment  factors  are  evaluated  to  ensure  they  are  linked 
to  mission,  goals,  and  objectives,  and  are  balanced  and  set  appropriate  incentives  for 
achieving  goals  while  complying  with  law,  regulations,  and  ethical  standards. 

•  Actual  performance  data  are  continually  compared  against  expected/planned  goals 
and  differences  are  analyzed. 

•  Comparisons  are  made  relating  different  sets  of  data  to  one  another  so  that  analyses  of 
the  relationships  can  be  made  and  corrective  actions  can  be  taken  if  necessary. 

•  Investigation  of  unexpected  results  or  unusual  trends  leads  to  identification  of 
circumstances  in  which  the  achievement  of  goals  and  objectives  may  be  threatened 
and  corrective  action  is  taken. 

•  Analysis  and  review  of  performance  measures  and  indicators  are  used  for  both 
operational  and  financial  reporting  control  purposes. 
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7.  Segregation  of  Duties.  Key  duties  and  responsibilities  are  divided  or  segregated 
among  different  people  to  reduce  the  risk  of  error,  waste,  or  fraud.  Consider  the 
following: 

•  No  one  individual  is  allowed  to  control  all  key  aspects  of  a  transaction  or  event. 

•  Responsibilities  and  duties  involving  transactions  and  events  are  separated  among 
different  employees  with  respect  to  authorization,  approval,  processing  and  recording, 
making  payments  or  receiving  funds,  review  and  auditing,  and  the  custodial  functions 
and  handling  of  related  assets. 

•  Duties  are  assigned  systematically  to  a  number  of  individuals  to  ensure  that  effective 
checks  and  balances  exist. 

•  Where  feasible,  no  one  individual  is  allowed  to  work  alone  with  cash,  negotiable 
securities,  or  other  highly  venerable  assets. 

•  The  responsibility  for  opening  mail  is  assigned  to  individuals  who  have  no 
responsibilities  for  or  access  to  files  or  documents  pertaining  to  accounts  receivable 
or  cash  accounts. 

•  Rank  accounts  are  reconciled  by  employees  who  have  no  responsibilities  for  cash 
receipts,  disbursements,  or  custody. 

•  Management  is  aware  that  collusion  can  reduce  or  destroy  the  control  effectiveness  of 
segregation  of  duties  and,  therefore,  is  especially  alert  for  it  and  attempts  to  reduce 
the  opportunities  for  it  to  occur. 

8.  Execution  of  Transactions  and  Events  .  Transactions  and  other  significant  events 
are  authorized  and  performed  by  the  appropriate  personnel.  Consider  the 
following: 

•  Controls  ensure  that  only  valid  transactions  and  other  events  are  initiated  or  entered 
into,  in  accordance  with  management’s  decisions  and  directives. 

•  Controls  are  established  to  ensure  that  all  transactions  and  other  significant  events 
that  are  entered  into  are  authorized  and  executed  only  by  employees  acting  within  the 
scope  of  their  authority. 

•  Authorizations  are  clearly  communicated  to  managers  and  employees  and  include  the 
specific  conditions  and  tenns  under  which  authorizations  are  to  be  made. 

•  The  terms  of  authorizations  are  in  accordance  with  directives  and  within  limitations 
established  by  law,  regulation,  and  management. 

9.  Recording  of  Transactions  and  Events  .  Transactions  and  other  significant  events 
are  properly  classified  and  promptly  recorded.  Consider  the  following: 

•  Transactions  and  events  are  appropriately  classified  and  promptly  recorded  so  that 
they  maintain  their  relevance,  value,  and  usefulness  to  management  in  controlling 
operations  and  making  decisions. 

•  Proper  classification  and  recording  take  place  throughout  the  entire  life  cycle  of  each 
transaction  or  event,  including  authorization,  initiation,  processing,  and  final 
classification  in  summary  records. 

•  Proper  classification  of  transactions  and  events  includes  appropriate  organization  and 
format  of  information  on  original  documents  (hardcopy  paper  or  electronic)  and 
summary  records  from  which  reports  and  statements  are  prepared. 

•  Excessive  adjustments  to  numbers  or  account  classifications  are  not  necessary  prior  to 
finalization  of  financial  reports. 
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10.  Access  Restrictions  to  and  Accountability  for  Resources  and  Records  .  Access  to 

resources  and  records  is  limited  and  accountability  for  their  custody  is  assigned. 

Consider  the  following: 

•  The  risk  of  unauthorized  use  or  loss  is  controlled  by  restricting  access  to  resources 
and  records  only  to  authorized  personnel. 

•  Accountability  for  resources  and  records  custody  and  use  is  assigned  to  specific 
individuals. 

•  Access  restrictions  and  accountability  assignments  for  custody  are  periodically 
reviewed  and  maintained. 

•  Periodic  comparison  of  resources  with  the  recorded  accountability  is  made  to 
determine  if  the  two  agree,  and  differences  are  examined. 

•  How  frequently  actual  resources  are  compared  to  records  and  the  degree  of  access 
restrictions  are  functions  of  the  vulnerability  of  the  resource  to  the  risk  of  errors, 
fraud,  waste,  misuse,  theft,  or  unauthorized  alteration. 

•  Management  considers  such  factors  as  asset  value,  portability,  and  exchangeability 
when  detennining  the  appropriate  degree  of  access  restrictions. 

•  Asa  part  of  assigning  and  maintaining  accountability  for  resources  and  records, 
management  informs  and  communicates  those  responsibilities  to  specific  individuals 
within  the  agency  and  assures  that  those  people  are  aware  of  their  duties  for 
appropriate  custody  and  use  of  those  resources. 

11.  Documentation.  Internal  Control  and  all  transactions  and  other  significant 

events  are  clearly  documented.  Consider  the  following: 

•  Written  documentation  exists  covering  the  agency’s  internal  control  structure  and  for 
all  significant  transactions  and  events. 

•  The  documentation  is  readily  available  for  examination. 

•  The  documentation  for  internal  control  includes  identification  of  the  agency’s 
activity-level  functions  and  related  objectives  and  control  activities  and  appears  in 
management  directives,  administrative  policies,  accounting  manuals,  and  other  such 
manuals. 

•  Documentation  for  internal  control  includes  documentation  describing  and  covering 
automated  information  systems,  data  collection  and  handling,  and  the  specifics  of 
general  and  application  control  related  to  such  systems. 

•  Documentation  of  transactions  and  other  significant  events  is  complete  and  accurate 
and  facilitates  tracing  the  transaction  or  event  and  related  information  from 
authorization  and  initiation,  through  its  processing,  to  after  it  is  completed. 

•  Documentation,  whether  in  paper  or  electronic  form,  is  useful  to  managers  in 
controlling  their  operations  and  to  any  others  involved  in  evaluating  or  analyzing 
operations. 

•  All  documentation  and  records  are  properly  managed,  maintained,  and  periodically 
updated. 
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Control  Activities  Specific  for  Information  Systems.  General  Control 
Entity  wide  Security  Management  Program 

1.  The  agency  periodically  performs  a  comprehensive,  high-level  assessment  of  risks 
to  its  information  systems.  Consider  the  following: 

•  Risk  assessments  are  performed  and  documented  regularly  and  whenever  systems, 
facilities,  or  other  conditions  change. 

•  Risk  assessments  consider  data  sensitivity  and  integrity. 

•  Final  risk  determinations  and  managerial  approvals  are  documented  and  kept  on  file. 

2.  The  agency  has  developed  a  plan  that  clearly  describes  the  entitywide  security 
program  and  policies  and  procedures  that  support  it. 

3.  Senior  management  has  established  a  structure  to  implement  and  manage  the 
security  program  throughout  the  agency  and  security  responsibilities  are  clearly 
defined. 

4.  The  agency  has  implemented  effective  security-related  personnel  policies. 

5.  The  agency  monitors  the  security  program’s  effectiveness  and  makes  changes  as 
needed.  Consider  the  following: 

•  Management  periodically  assesses  the  appropriateness  of  security  policies  and 
compliance  with  them. 

•  Corrective  actions  are  promptly  and  effectively  implemented  and  tested,  and  they  are 
continually  monitored. 

Access  Control 

1.  The  agency  classifies  information  resources  according  to  their  criticality  and 
sensitivity.  Consider  the  following: 

•  Resource  classifications  and  related  criteria  have  been  established  and  communicated 
to  resource  owners. 

•  Resource  owners  have  classified  their  information  resources  based  on  the  approved 
criteria  and  with  regard  to  risk  determinations  and  assessments  and  have  documented 
those  classifications. 

2.  Resource  owners  have  identified  authorized  users  and  their  access  to  the 
information  has  been  formally  authorized. 

3.  The  agency  has  established  physical  and  logical  controls  to  prevent  or  detect 
unauthorized  access. 

4.  The  agency  monitors  information  systems  access,  investigates  apparent  violations, 
and  takes  appropriate  remedial  and  disciplinary  action. 

Application  Software  Development  and  Change  Control 

1.  Information  system  processing  features  and  program  modifications  are  properly 
authorized. 

2.  All  new  or  revised  software  is  thoroughly  tested  and  approved. 

3.  The  agency  has  established  procedures  to  ensure  control  of  its  software  libraries, 
including  labeling,  access  restrictions,  and  use  of  inventories  and  separate  libraries. 


85 


System  Software  Control 

1.  The  agency  limits  access  to  system  software  based  on  job  responsibilities,  and 
access  authorization  is  documented. 

2.  Access  to  and  use  of  system  software  are  controlled  and  monitored. 

3.  The  agency  controls  changes  made  to  the  system  software. 

Segregation  of  Duties 

1.  Incompatible  duties  have  been  identified  and  policies  implemented  to  segregate 
those  duties. 

2.  Access  controls  have  been  established  to  enforce  segregation  of  duties. 

3.  The  agency  exercises  control  over  personnel  activities  through  the  use  of  formal 
operating  procedures,  supervision,  and  review. 

Service  Continuity 

1.  The  criticality  and  sensitivity  of  computerized  operations  have  been  assessed  and 
prioritized,  and  supporting  resources  have  been  identified. 

2.  The  agency  has  taken  steps  to  prevent  and  minimize  potential  damage  and 
interruption  through  the  use  of  data  and  program  backup  procedures  including 
offsite  storage  of  backup  data  as  well  as  environmental  controls,  staff  training,  and 
hardware  maintenance  and  management. 

3.  Management  has  developed  and  documented  a  comprehensive  contingency  plan. 

4.  The  agency  periodically  tests  the  contingency  plan  and  adjusts  it  as  appropriate. 

Control  Activities  Specific  for  Information  Systems.  Application  Control 
Authorization  Control 

1.  Source  documents  are  controlled  and  require  authorization.  Consider  the 
following: 

•  Access  to  blank  source  documents  is  restricted. 

•  Source  documents  are  pre-numbered  sequentially. 

•  Key  source  documents  require  authorizing  signatures. 

•  For  batch  application  systems,  batch  control  sheets  are  used  providing  information 
such  as  date,  control  number,  number  of  documents,  and  control  totals  for  key  fields. 

•  Supervisory  or  independent  review  of  data  occurs  before  it  is  entered  into  the 
application  system. 

2.  Data  entry  terminals  have  restricted  access. 

3.  Master  files  and  exception  reporting  are  used  to  ensure  that  all  data  processed  are 
authorized. 

Completeness  Control  Comments/Descriptions 

1.  All  authorized  transactions  are  entered  into  and  processed  by  the  computer. 

2.  Reconciliations  are  performed  to  verify  data  completeness. 
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Accuracy  Control 

1.  The  agency’s  data  entry  design  features  contribute  to  data  accuracy. 

2.  Data  validation  and  editing  are  performed  to  identify  erroneous  data. 

3.  Erroneous  data  are  captured,  reported,  investigated,  and  promptly  corrected. 

4.  Output  reports  are  reviewed  to  help  maintain  data  accuracy  and  validity. 

Control  Over  Integrity  of  Processing  and  Data  Files 

1.  Procedures  ensure  that  the  current  versions  of  production  programs  and  data 
files  are  used  during  processing. 

2.  Programs  include  routines  to  verify  that  the  proper  version  of  the  computer  file  is 
used  during  processing. 

3.  Programs  include  routines  for  checking  internal  file  header  labels  before 
processing. 

4.  The  application  protects  against  concurrent  file  updates. 

INFORMATION  AND  COMMUNICATIONS 


Information  Comments/Descriptions 

1.  Information  from  internal  and  external  sources  is  obtained  and  provided  to 
management  as  a  part  of  the  agency’s  reporting  on  operational  performance 
relative  to  established  objectives.  Consider  the  following: 

•  Internally  generated  infonnation  critical  to  achieving  the  agency’s  objectives, 
including  infonnation  relative  to  critical  success  factors,  is  identified  and  regularly 
reported  to  management. 

•  The  agency  obtains  and  reports  to  managers  any  relevant  external  information  that 
may  affect  the  achievement  of  its  missions,  goals,  and  objectives  particularly  that 
related  to  legislative  or  regulatory  developments  and  political  or  economic  changes. 

•  Internal  and  external  infonnation  needed  by  managers  at  all  levels  is  reported  to  them. 

2.  Pertinent  information  is  identified,  captured,  and  distributed  to  the  right  people 
in  sufficient  detail,  in  the  right  form,  and  at  the  appropriate  time  to  enable  them  to 
carry  out  their  duties  and  responsibilities  efficiently  and  effectively.  Consider  the 
following: 

•  Managers  receive  analytical  information  that  helps  them  identify  specific  actions  that 
need  to  be  taken. 

•  Information  is  provided  at  the  right  level  of  detail  for  different  levels  of  management. 

•  Information  is  summarized  and  presented  appropriately  and  provides  pertinent 
information  while  permitting  a  closer  inspection  of  details  as  needed. 

•  Information  is  available  on  a  timely  basis  to  allow  effective  monitoring  of  events, 
activities,  and  transactions  and  to  allow  prompt  reaction. 

•  Program  managers  receive  both  operational  and  financial  information  to  help  them 
determine  whether  they  are  meeting  the  strategic  and  annual  performance  plans  and 
meeting  the  agency’s  goals  for  accountability  of  resources. 
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•  Operational  information  is  provided  to  managers  so  that  they  may  determine  whether 
their  programs  comply  with  applicable  laws  and  regulations. 

•  The  appropriate  financial  and  budgetary  infonnation  is  provided  for  both  internal  and 
external  financial  reporting. 

Communications 

1.  Management  ensures  that  effective  internal  communications  occur.  Consider  the 

following: 

•  Top  management  provides  a  clear  message  throughout  the  agency  that  internal 
control  responsibilities  are  important  and  must  be  taken  seriously. 

•  Employees,  specific  duties  are  clearly  communicated  to  them  and  they  understand  the 
relevant  aspects  of  internal  control,  how  their  role  fits  into  it,  and  how  their  work 
relates  to  the  work  of  others. 

•  Employees  are  informed  that  when  the  unexpected  occurs  in  performing  their  duties, 
attention  must  be  given  not  only  to  the  event,  but  also  to  the  underlying  cause,  so  that 
potential  internal  control  weaknesses  can  be  identified  and  corrected  before  they  can 
do  further  harm  to  the  agency. 

•  Acceptable  behavior  versus  unacceptable  behavior  and  the  consequences  of  improper 
conduct  are  clearly  communicated  to  all  employees. 

•  Personnel  have  a  means  of  communicating  information  upstream  within  the  agency 
through  someone  other  than  a  direct  supervisor,  and  there  is  a  genuine  willingness  to 
listen  on  the  part  of  management. 

•  Mechanisms  exist  to  allow  the  easy  flow  of  information  down,  across,  and  up  the 
organization,  and  easy  communications  exist  between  functional  activities,  such  as 
between  procurement  activities  and  production  activities. 

•  Employees  indicate  that  informal  or  separate  lines  of  communications  exist,  which 
serve  as  a  .fail-safe  control  for  normal  communications  avenues. 

•  Personnel  understand  that  there  will  be  no  reprisals  for  reporting  adverse  infonnation, 
improper  conduct,  or  circumvention  of  internal  control  activities. 

•  Mechanisms  are  in  place  for  employees  to  recommend  improvements  in  operations, 
and  management  acknowledges  good  employee  suggestions  with  cash  awards  or 
other  meaningful  recognition. 

•  Management  communicates  frequently  with  internal  oversight  groups,  such  as  senior 
management  councils,  and  keeps  them  informed  of  performance,  risks,  major 
initiatives,  and  any  other  significant  events. 

2.  Management  ensures  that  effective  external  communications  occur  with  groups 

that  can  have  a  serious  impact  on  programs,  projects,  operations,  and  other 

activities,  including  budgeting  and  financing.  Consider  the  following: 

•  Open  and  effective  communications  channels  have  been  established  with  customers, 
suppliers,  contractors,  consultants,  and  other  groups  that  can  provide  significant  input 
on  quality  and  design  of  agency  products  and  services. 

•  All  outside  parties  dealing  with  the  agency  are  clearly  informed  of  the  agency’s 
ethical  standards  and  also  understand  that  improper  actions,  such  as  improper  billings, 
kickbacks,  or  other  improper  payments,  will  not  be  tolerated. 
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•  Communications  from  external  parties,  such  as  other  federal  agencies,  state  and  local 
governments,  and  other  related  third  parties,  is  encouraged  since  it  can  be  a  source  of 
information  on  how  well  internal  control  is  functioning. 

•  The  agency  has  methods  to  ensure  compliance  with  the  Federal  Advisory  Committee 
Act  of  1972  since  such  committees  may  include  individuals  external  to  the  agency 
with  whom  communications  could  occur. 

•  Complaints  or  inquires,  especially  those  concerning  services,  such  as  shipments, 
receipts,  and  billings,  are  welcomed  since  they  can  point  out  control  problems. 

•  Management  makes  certain  that  the  advice  and  recommendations  of  Inspectors 
General  and  other  auditors  and  evaluators  are  fully  considered  and  that  actions  are 
implemented  to  correct  any  problems  or  weaknesses  they  identify. 

•  Communications  with  Congress,  OMB,  Treasury,  other  federal  agencies,  state  and 
local  governments,  the  media,  the  public,  and  others  provide  information  relevant  to 
the  requesters  needs  so  that  they  can  better  understand  the  agency’s  mission,  goals, 
and  objectives,  better  understand  the  risks  facing  the  agency,  and  thus  better 
understand  the  agency. 

Forms  and  Means  of  Communications  Comments/Descriptions 

1.  The  agency  employs  many  and  various  forms  and  means  of  communicating 

important  information  with  employees  and  others.  Consider  the  following: 

•  Management  uses  effective  communications  methods,  which  may  include  policy  and 
procedures  manuals,  management  directives,  memoranda,  bulletin  board  notices, 
internet  and  intranet  web  pages,  videotaped  messages,  e-mail,  and  speeches. 

•  Two  of  the  most  powerful  forms  of  communications  used  by  management  are  the 
positive  actions  it  takes  in  dealing  with  personnel  throughout  the  organization  and  its 
demonstrated  support  of  internal  control. 

2.  The  agency  manages,  develops,  and  revises  its  information  systems  in  an  effort  to 

continually  improve  the  usefulness  and  reliability  of  its  communication  of 

information.  Consider  the  following: 

•  Information  systems  management  is  based  on  a  strategic  plan  for  information  systems 
that  is  linked  to  the  agency’s  overall  strategic  plan. 

•  A  mechanism  exists  for  identifying  emerging  information  needs. 

•  As  part  of  the  agency’s  information  management,  improvements  and  advances  in 
technology  are  monitored,  analyzed,  evaluated,  and  introduced  to  help  the  agency 
respond  more  rapidly  and  efficiently  to  those  it  serves. 

•  Management  continually  monitors  the  quality  of  the  information  captured, 
maintained,  and  communicated  as  measured  by  such  factors  as  appropriateness  of 
content,  timeliness,  accuracy,  and  accessibility. 

•  Management’s  support  for  the  development  of  information  technology  is 
demonstrated  by  its  commitment  of  appropriate  human  and  financial  resources  to  the 
effort. 
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MONITORING 


Ongoing  Monitoring 

1.  Management  has  a  strategy  to  ensure  that  ongoing  monitoring  is  effective  and  will 
trigger  separate  evaluations  where  problems  are  identified  or  systems  are  critical 
and  testing  is  periodically  desirable.  Consider  the  following: 

•  Management’s  strategy  provides  for  routine  feedback  and  monitoring  of  performance 
and  control  objectives. 

•  The  monitoring  strategy  includes  methods  to  emphasize  to  program  and  operational 
mangers  that  they  have  responsibility  for  internal  control  and  that  they  should  monitor 
the  effectiveness  of  control  activities  as  a  part  of  their  regular  duties. 

•  The  monitoring  strategy  includes  methods  to  emphasize  to  program  mangers  their 
responsibility  for  internal  control  and  their  duties  to  regularly  monitor  the 
effectiveness  of  control  activities. 

•  The  monitoring  strategy  includes  identification  of  critical  operational  and  mission 
support  systems  that  need  special  review  and  evaluation. 

•  The  strategy  includes  a  plan  for  periodic  evaluation  of  control  activities  for  critical 
operational  and  mission  support  systems. 

2.  In  the  process  of  carrying  out  their  regular  activities,  agency  personnel  obtain 
information  about  whether  internal  control  is  functioning  properly.  Consider  the 
following: 

•  Operating  reports  are  integrated  or  reconciled  with  financial  and  budgetary  reporting 
system  data  and  used  to  manage  operations  on  an  ongoing  basis,  and  management  is 
aware  of  inaccuracies  or  exceptions  that  could  indicate  internal  control  problems. 

•  Operating  management  compares  production,  sales,  or  other  operating  infonnation 
obtained  in  the  course  of  its  daily  activities  to  system-generated  information  and 
follows  up  on  any  inaccuracies  or  other  problems  that  might  be  found. 

•  Operating  personnel  are  required  to  .sign-off.  on  the  accuracy  of  their  unit’s  financial 
statements  and  are  held  accountable  if  errors  are  discovered. 

3.  Communications  from  external  parties  should  corroborate  internally  generated 
data  or  indicate  problems  with  internal  control.  Consider  the  following: 

•  .Management  recognizes  that  customers  paying  for  invoices  help  to  corroborate 
billing  data,  while  customer  complaints  indicate  that  deficiencies  may  exist;  and  these 
deficiencies  are  then  investigated  to  determine  the  underlying  causes. 

•  Communications  from  vendors  and  monthly  statements  of  accounts  payable  are  used 
as  control  monitoring  techniques. 

•  Supplier  complaints  about  any  unfair  practices  by  agency  purchasing  agents  are 
investigated. 

•  Congress  and  oversight  groups  communicate  information  to  the  agency  about 
compliance  or  other  matters  that  reflect  on  the  functioning  of  internal  control,  and 
management  follows  up  on  any  problems  indicated. 

•  Control  activities  that  should  have  prevented  or  detected  any  problems  that  arose,  but 
did  not  function  properly,  are  reassessed. 


90 


4.  Appropriate  organizational  structure  and  supervision  help  provide  oversight  of 
internal  control  functions.  Consider  the  following: 

•  Automated  edits  and  checks  as  well  as  clerical  activities  are  used  to  help  control 
accuracy  and  completeness  of  transaction  processing. 

•  Separation  of  duties  and  responsibilities  is  used  to  help  deter  fraud. 

•  The  Inspector  General  is  independent  and  has  authority  to  report  directly  to  the 
agency  head  and  does  not  conduct  agency  operations  for  management. 

5.  Data  recorded  by  information  and  financial  systems  are  periodically  compared 
with  physical  assets  and  discrepancies  are  examined.  Consider  the  following: 

•  Inventory  levels  of  materials,  supplies,  and  other  assets  are  checked  regularly; 
differences  between  recorded  and  actual  amounts  are  corrected;  and  the  reasons  for 
the  discrepancies  resolved. 

•  The  frequency  of  the  comparison  is  a  function  of  the  vulnerability  of  the  asset. 

•  Custodial  accountability  for  assets  and  resources  is  assigned  to  responsible 
individuals. 

6.  The  Inspector  General  and  other  auditors  and  evaluators  regularly  provide 
recommendations  for  improvements  in  internal  control  with  management  taking 
appropriate  follow-up  action. 

7.  Meetings  with  employees  are  used  to  provide  management  with  feedback  on 
whether  internal  control  is  effective.  Consider  the  following: 

•  Relevant  issues,  information,  and  feedback  concerning  internal  control  raised  at 
training  seminars,  planning  sessions,  and  other  meetings  are  captured  and  used  by 
management  to  address  problems  or  strengthen  the  internal  control  structure. 

•  Employee  suggestions  on  internal  control  are  considered  and  acted  upon  as 
appropriate. 

•  Management  encourages  employees  to  identify  internal  control  weaknesses  and 
report  them  to  the  next  supervisory  level. 

8.  Employees  are  regularly  asked  to  state  explicitly  whether  they  comply  with  the 
agency’s  code  of  conduct  or  similar  agency  pronouncements  of  expected  employee 
behavior.  Consider  the  following: 

•  Personnel  periodically  acknowledge  compliance  with  the  code  of  conduct. 

•  Signatures  are  required  to  evidence  performance  of  critical  internal  control  functions, 
such  as  reconciliations. 

Separate  Evaluations 

1.  The  scope  and  frequency  of  separate  evaluations  of  internal  control  are 
appropriate  for  the  agency.  Consider  the  following: 

•  Consideration  is  given  to  the  risk  assessment  results  and  the  effectiveness  of  ongoing 
monitoring  when  detennining  the  scope  and  frequency  of  separate  evaluations. 

•  Separate  evaluations  are  often  prompted  by  events  such  as  major  changes  in 
management  plans  or  strategies,  major  expansion  or  downsizing  of  the  agency,  or 
significant  changes  in  operations  or  processing  of  financial  or  budgetary  information. 
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•  Appropriate  portions  or  sections  of  internal  control  are  evaluated  regularly. 

•  Separate  evaluations  are  conducted  by  personnel  with  the  required  skills  that  may 
include  the  agency’s  Inspector  General  or  an  external  auditor. 

2.  The  methodology  for  evaluating  the  agency’s  internal  control  is  logical  and 

appropriate.  Consider  the  following: 

•  The  methodology  used  may  include  self-assessments  using  checklists,  questionnaires, 
or  other  such  tools,  and  it  may  include  the  use  of  this  Management  and  Evaluation 
Tool  or  some  similar  device. 

•  The  separate  evaluations  may  include  a  review  of  the  control  design  and  direct  testing 
of  the  internal  control  activities. 

•  In  agencies  where  large  amounts  of  data  are  processed  by  the  information  and/or 
financial  systems,  separate  evaluation  methodology  employs  computer  assisted  audit 
techniques  to  identify  indicators  of  inefficiencies,  waste,  or  abuse. 

•  The  evaluation  team  develops  a  plan  for  the  evaluation  process  to  ensure  a 
coordinated  effort. 

•  If  the  evaluation  process  is  conducted  by  agency  employees,  it  is  managed  by  an 
executive  with  the  requisite  authority,  capability,  and  experience. 

•  The  evaluation  team  gains  a  sufficient  understanding  of  the  agency’s  missions,  goals, 
and  objectives  and  its  operations  and  activities. 

•  The  evaluation  team  gains  an  understanding  of  how  the  agency’s  internal  control  is 
supposed  to  work  and  how  it  actually  does  work. 

•  The  evaluation  team  analyzes  the  results  of  the  evaluation  against  established  criteria. 

•  The  evaluation  process  is  properly  documented. 

3.  If  the  separate  evaluations  are  conducted  by  the  agency’s  Inspector  General,  that 

office  has  sufficient  resources,  ability,  and  independence.  Consider  the  following: 

•  The  Inspector  General  has  sufficient  levels  of  competent  and  experienced  staff. 

•  The  Inspector  General  is  organizationally  independent  and  reports  to  the  highest 
levels  within  the  agency. 

•  The  responsibilities,  scope  of  work,  and  audit  plans  of  the  Inspector  General  are 
appropriate  to  the  agency’s  needs. 

4.  Deficiencies  found  during  separate  evaluations  are  promptly  resolved.  Consider 

the  following: 

•  Deficiencies  are  promptly  communicated  to  the  individual  responsible  for  the 
function  and  also  to  at  least  one  level  of  management  above  that  individual. 

•  Serious  deficiencies  and  internal  control  problems  are  promptly  reported  to  top 
management.  This  particular  point  and  the  related  subsidiary  points  are  not  expected 
to  be  assessed  by  agency  management  or  the  agency  Inspector  General.  However, 
their  consideration  may  be  useful  in  outside  reviews  or  peer  reviews. 
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Audit  Resolution 


1.  The  agency  has  a  mechanism  to  ensure  the  prompt  resolution  of  findings  from 

audits  and  other  reviews.  Consider  the  following: 

•  Managers  promptly  review  and  evaluate  findings  resulting  from  audits,  FMFIA  and 
FFMIA  assessments,  and  other  reviews,  including  those  showing  deficiencies  and 
those  identifying  opportunities  for  improvements. 

•  Management  determines  the  proper  actions  to  take  in  response  to  findings  and 
rec  ommendations . 

•  Corrective  action  is  taken  or  improvements  made  within  established  time  frames  to 
resolve  the  matters  brought  to  management’s  attention. 

•  In  cases  where  there  is  disagreement  with  the  findings  or  recommendations, 
management  demonstrates  that  those  findings  or  recommendations  are  either  invalid 
or  do  not  warrant  action. 

•  Management  considers  consultations  with  auditors  (such  as  GAO,  the  Inspector 
General,  and  other  external  auditors),  and  reviewers  when  they  are  believed  to  be 
helpful  in  the  audit  resolution  process. 

2.  Agency  management  is  responsive  to  the  findings  and  recommendations  of  audits 

and  other  reviews  aimed  at  strengthening  internal  control.  Consider  the  following: 

•  Executives  with  the  proper  authority  evaluate  the  findings  and  recommendations  and 
decide  upon  the  appropriate  actions  to  take  to  correct  or  improve  control. 

•  Desired  internal  control  actions  are  followed  up  on  to  verify  implementation.  Audit 
Resolution  includes  the  resolution  of  findings  and  recommendations  not  just  from 
formal  audits,  but  also  resulting  from  infonnal  reviews,  internal  separate  evaluations, 
management  studies,  and  assessments  made  pursuant  to  the  requirements  of  the 
Federal  Managers’  Financial  Integrity  Act  (FMFIA)  of  1982  and  the  Federal 
Financial  Management  Improvement  Act  (FFMIA)  of  1996. 

3.  The  agency  takes  appropriate  follow-up  actions  with  regard  to  findings  and 

recommendations  of  audits  and  other  reviews.  Consider  the  following: 

•  Problems  with  particular  transactions  or  events  are  corrected  promptly. 

•  The  underlying  causes  giving  rise  to  the  findings  or  recommendations  are 
investigated  by  management. 

•  Actions  are  decided  upon  to  correct  the  situation  or  take  advantage  of  the  opportunity 
for  improvements. 

•  Management  and  auditors  follow  up  on  audit  and  review  findings,  recommendations, 
and  the  actions  decided  upon  to  ensure  that  those  actions  are  taken. 

•  Top  management  is  kept  infonned  through  periodic  reports  on  the  status  of  audit  and 
review  resolution  so  that  it  can  ensure  the  quality  and  timeliness  of  individual 
resolution  decisions. 
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